Session Problem Again (prattle)

Anon

OK, I have looked at the prattle source code but don't quite understand a few things:

After checking for login, the code does this:

session_register("uid");
session_register("hashid");
Now two session variables $uid, $hashid are stored.

Then on every protected page, this function is called:

function isloggedin()
{
global $uid;
global $hashid;
return ($hashid == makehashid($uid));
}

My question is:
In the isloggedin() function, both $uid and $hashid came from the session variables stored when the user login. Shouldn't ($hashid == makehashid($uid)) always return true? Or the user has to provide the $uid everytime?

Thanks!

Anon

It should. The point of the hashid is that it can't be forged, while a UID can be. Here's how it could be important:

Cracker tries to get in by passing an argument argument to the script:

prattle?roomid=28&uid=1

Code sees a valid uid, but no valid hashid. User rejected.

Cracker tries to forge hashid.

He can't, because it is dependent on a secret system passphrase and generates one of those frightful MD5 checksums:
"7f0a54881d4abf516ef5f6dc2ad20d6d6"

Anon

Great~~

Now I understand it totally. Thanks for making it clear for me!