[Resolved] $_SESSION Security

fean0r

I have discovered a problem with the security on my site as a result of me not understanding $_SESSIONS properly!

If i use

$_SESSION['access']="No"

then if I use

$access=Yes

This also changes the $_SESSION['test'] is there anyway to stop this from happening?

Also can a user expliot this by changing the url for example

http://www.site.com/index.php?access=Yes

suntra

First question to ask is: is register_globals on? It should not be!

Also, when you set a variable in the query string, it is set before anycode is executed, so if you set thatsame variable in the code, it will have the value YOU gave it.

Hope it helps.

fean0r

Thanks for your suggestions, I found an alternative way to ensure my code is not explioted.