Quote:
Originally Posted by Redcoder
I would be interested in finding out how they validate that the data was from that user...maybe the user left(CyberCafe Scenario) and another(malicious) used the computer next - how exactly do they catch that? Random SES IDs in the browser cookies would only work if they are not in the same computer. Looks to me like a loophole that somebody with enough determination - and makes multiple accounts for testing - could exploit.
What do ya think?
|
Well considering the next user would need to know the previous users password, I think its a no-go to be honest. You could also put the users ID number in the form (or a hashed version of it at least / random value) so that you can compare the session data to make sure it belongs to the right user should another login with the same session id.
As per Debbies request, you can save the entire $_GET and $_POST arrays in the session (along with the $_SERVER so you know the original url), do your login and then check / use them as you originally would have done. This is a method I've used for a few years with minimal hassle as I also had the same problem with my site (i have a session time out / password confirmation thing which needed to remember input and act on it after the login page).