can you use sessions to ensure the user visited a previous page? can a sessions be easily spoofed?

"NotGiven" <no****@nonegiven.net> wrote...
: [nothing]

1. don't post your entire question in the subject line
2. don't multipost
3. You can encrypt session vars with an md5() hash, for example. This will
make spoofing a lot more difficult.
..soma

Hi!

On Thu, 20 Nov 2003 00:02:25 +0100, "somaBoy MX" <no**@nonesuch.net>
wrote:

3. You can encrypt session vars with an md5() hash, for example. This will
make spoofing a lot more difficult.

I think its not necessary, as only already md5'ed session id gets
transported.

HTH, Jochen
--
Jochen Daum - CANS Ltd.
PHP DB Edit Toolkit -- PHP scripts for building
database editing interfaces.
http://sourceforge.net/projects/phpdbedittk/

On Wed, 19 Nov 2003 13:10:21 -0500, "NotGiven" <no****@nonegiven.net>
wrote:>

Use $_SESSION["HTTP_REFERER"]

The above server variable will tell you the page they arrived from.
You commonly use it in a script page to return to the form that
submitted towards it.

kafooey
- ka*****@nospam.yahoo.co.uk
- http://www.pluggedout.com/blog

Hi,

1. don't post your entire question in the subject line
2. don't multipost
3. You can encrypt session vars with an md5() hash, for example. This will
make spoofing a lot more difficult.

I agree, but to answer the question: yes you could use sessions to check if
a page was previously viewed. You could on one page initialize the session,
on the next page (the one that should be viewed before going on) set a var
in the session:

$_SESSION['pageviewed'] = true;

And on the third page you could check if this var is set:

if ($_SESSION['pageviewed']!=true) { die("Cheater!"); }

Remember you have to do a session_start on every page you use a session and
it should be done before any output is send to the browser.

Bye,
Jonathan