I was asked by an employer to install both a timeclock and a messaging system for employees. For the former, I went with the latest version of PHP Timeclock and it has been working out great. For the messaging system, I chose to use another simple script I downloaded called "E-post".
If I log onto any account on e-post to check my messages--the default "test1" account, for example--then switch to the timeclock's main page without logging out, the timeclock page believes that I'm logged on as an admin user called "test1," a username that shouldn't even exist in the context of this app. It is thus frighteningly easy to gain access to the admin page of PHP Timeclock while E-post is being used, although it is in a different location on the server and uses a different MySQL database.
I'm not an expert programmer, but I'm guessing the "session" codes that check for a valid user on E-post and a valid admin user on PHP Timeclock are basically the same. Perhaps a solution would be if the Timeclock page checked to see if the admin you were logged in as was actually a real administrator, but this could still create a conflicts if there were any usernames being used on both apps.
Is there a simple solution for this?
Log in to post a comment.