The hidden form idea is still very easily forged.
What's to say I don't make a form, store it locally, and click a button
to impersonate someone?
<form action=http://losthope.com/mypage.php method=POST>
<input type=text name=username />
<input type=hidden name=loggedin value=1 />
<input type=submit value=Impersonate />
</form>
[File > Save As > C:\NameThief.html]
See what I mean?
Check out PHP sessions. They'll take care of you.
But if you absolutely want to do it with an embedded form field...
well, refreshing shouldn't make a difference, because theoretically the
browser should repeat the exact same HTTP request it used in the first
place. i.e. Same form data.
There is no (simple, reliable) way to make JavaScript help you here.
The entire JavaScript 'state' is lost upon page refresh.
(if you're adamant, you could use an unload event handler that opens a
new window which monitors the main window for a return to your site and
auto-re-populates the information you want, then closes itself. but
this is really a lot of trouble when PHP [which you're already
implementing] can do all of this automatically with sessions)
P.S.
Did I mention PHP sessions?
lost hope wrote:
yeah, you're definitely right -- saving and passing around the
password is a bad idea. after i've verified that their username/pass is valid
(a database check), all i really need to pass around is the "login
status" and their "username" -- which could really just be condensed
down to username (when not null, the person is logged in). passing
around the username would allow them to post messages in their own
name, etc without having to continuously re-enter it. i could do
what you're suggesting, and do something like:
"mypage.php?username=random", however, then anyone could impersonate somebody else, by simply
typing "?username=random" into their browser. that's why i was trying to
store the username in a hidden form. but it seems there isn't any
way to grab that info when the page is refreshed. unless i'm missing
something?
