can you use sessions to ensure the user visited a previous page? can a sessions be easily spoofed?

[NotGiven]

[somaBoy MX]

"NotGiven" <noname@nonegiven.net> wrote...
: [nothing]

1. don't post your entire question in the subject line
2. don't multipost
3. You can encrypt session vars with an md5() hash, for example. This will
make spoofing a lot more difficult.


..soma

[Jochen Daum]

Hi!

On Thu, 20 Nov 2003 00:02:25 +0100, "somaBoy MX" <none@nonesuch.net>
wrote:

>3. You can encrypt session vars with an md5() hash, for example. This will
>make spoofing a lot more difficult.

I think its not necessary, as only already md5'ed session id gets
transported.

HTH, Jochen
--
Jochen Daum - CANS Ltd.
PHP DB Edit Toolkit -- PHP scripts for building
database editing interfaces.
[url]http://sourceforge.net/projects/phpdbedittk/[/url]

[kafooey]

On Wed, 19 Nov 2003 13:10:21 -0500, "NotGiven" <noname@nonegiven.net>
wrote:>

Use $_SESSION["HTTP_REFERER"]

The above server variable will tell you the page they arrived from.
You commonly use it in a script page to return to the form that
submitted towards it.



kafooey
- [email]kafooey@nospam.yahoo.co.uk[/email]
- [url]http://www.pluggedout.com/blog[/url]

[Jonathan]

Hi,

> 1. don't post your entire question in the subject line
> 2. don't multipost
> 3. You can encrypt session vars with an md5() hash, for example. This will
> make spoofing a lot more difficult.

I agree, but to answer the question: yes you could use sessions to check if
a page was previously viewed. You could on one page initialize the session,
on the next page (the one that should be viewed before going on) set a var
in the session:

$_SESSION['pageviewed'] = true;

And on the third page you could check if this var is set:

if ($_SESSION['pageviewed']!=true) { die("Cheater!"); }

Remember you have to do a session_start on every page you use a session and
it should be done before any output is send to the browser.

Bye,
Jonathan