[Phplib-users] more auth->start woes
Brought to you by:
nhruby,
richardarcher
Menu
▾
▴
[Phplib-users] more auth->start woes
|
From: Giancarlo P. <gia...@na...> - 2002-06-10 08:35:38
|
But the final drop was whBut the final drop was when realized that $auth->auth[uid] could be passed from outside. If you clean all your cookies an restart the browser (or disable cookies all the way), and open showoff.php3?Example_Session=form your auth[uid] is now 'form'. You are in the 'login in progress' status. If you add some POST data input as $userame and password, I bet you can register, without the form being submitted. As the goal of auth[uid]==form was to be assured that the form was previously shown somewhere before considering the input fields, this defeats also that only advantage of that intermediate status So for me is broken. Gian PS with the latest cvs version f php-lib-stable this behaviour doesn't wors anymore because user input is no more trusted on session creation, but before it was like that And I sulevate you about the mode=log/reg stuff, which want 'states centrally' what is the global policy... impeding you to decide case by case. |
