The "Freeola Customer Forum" forum, which includes Retro Game Reviews, has been archived and is now read-only. You cannot post here or create a new thread or review on this forum.
A little while back I worked on my first logon page for a website, and all seemed to go well. However, checking the source today, when you fire up the logon page initially, after the
Page:
Following on from this...
Is there a way to obtain the URL as it appears in the browser...? That way it would be possible to check if the user had entered a PHPSESSID as a variable in the URL, and let me display an error message if they had.
ie. if they'd entered:
www.mypage.com/logon.php?PHPSESSID=1234
then I'd check to see if PHPSESSID existed in the URL string and give an error message if it was present...
Had a quick browse on the web but canna find anything yet... I'm sure it must be possible though?
[EDIT] - Don't worry, just added a session_regenerate_id() straight after the session_start() to ensure that even if someone specifies a PHPSESSID in the URL, it's changed when they view the page.
Is there a way to obtain the URL as it appears in the browser...? That way it would be possible to check if the user had entered a PHPSESSID as a variable in the URL, and let me display an error message if they had.
ie. if they'd entered:
www.mypage.com/logon.php?PHPSESSID=1234
then I'd check to see if PHPSESSID existed in the URL string and give an error message if it was present...
Had a quick browse on the web but canna find anything yet... I'm sure it must be possible though?
[EDIT] - Don't worry, just added a session_regenerate_id() straight after the session_start() to ensure that even if someone specifies a PHPSESSID in the URL, it's changed when they view the page.
$_SERVER["REQUEST_URI"] will give you the requesting URL.
If you're not accepting session id via the URL anymore, you may well find PHPSESSID in $_GET/$_POST/$_REQUEST too.
Also you should really change PHPSESSID with session_name to something a little less obvious.
If you're not accepting session id via the URL anymore, you may well find PHPSESSID in $_GET/$_POST/$_REQUEST too.
Also you should really change PHPSESSID with session_name to something a little less obvious.
I thought about changing session name, but it seems a bit pointless... If the reason for changing it is security, the people who would be able to exploit any holes would very easily be able to check their cookies for the session name... Rendering the name change a bit pointless surely...?
Yep, it'll make little difference changing the session name but even so PHPSESSID clearly announces what the variable is, and thus how your site might be vulnerable to attacks. Rename it to something else and theres at least the chance that the variable will be overlooked by some script/individual or whatever. Its one line of code to do it, what do you have to lose?
Page: