1
limecity
Access using other member's account
  • 2005/5/7 8:12

  • limecity

  • Friend of XOOPS

  • Posts: 1602

  • Since: 2003/7/6 0


I had a big problem the other day.

One member pasted the url of the page he was browsing that looked something like this

http://www.xoopssite.com/modules/newbb/viewtopic.php?topic_id=828
&viewmode=flat&order=DESC&start=10&PHPSESSID=9e3b91c44f53e2c2ab10c49712a59f6c

Then the guy who clicked on the url was able to access the XOOPS site with that guy's account. And able to change the password also!


How to prevent all these
"&PHPSESSID=9e3b91c44f53e2c2ab10c49712a59f6c"

from showing at the end of the url ?

2
Dave_L
Re: Access using other member's account
  • 2005/5/7 10:09

  • Dave_L

  • XOOPS is my life!

  • Posts: 2277

  • Since: 2003/11/7


What's the value of the the PHP configuration setting session.use_trans_sid?

3
limecity
Re: Access using other members account
  • 2005/5/7 12:02

  • limecity

  • Friend of XOOPS

  • Posts: 1602

  • Since: 2003/7/6 0


er... where do i found out that?
you mean the user cookie setting?

4
jdseymour
Re: Access using other members account

I believe that is a PHP.ini setting.

5
m0nty
Re: Access using other members account
  • 2005/5/7 12:15

  • m0nty

  • XOOPS is my life!

  • Posts: 3337

  • Since: 2003/10/24


see HERE

also you can use

php_flag session.use_only_cookies on

for more tighter session control too..

Login

Who's Online

405 user(s) are online (340 user(s) are browsing Support Forums)


Members: 0


Guests: 405


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Nov 30
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits