daveVk
msg:4540778 | 12:16 am on Jan 31, 2013 (gmt 0) |
The value from $_SESSION['loggedin'] needs to be transferred from the server PHP to the client by including it somewhere in the PHP generated HTML or PHP generated Javascript with
<?php echo $_SESSION['loggedin']; ?>
Within Javascript maybe
var ifloggedin = <?php echo $_SESSION['loggedin']; ?>;
OR
if(<?php echo $_SESSION['loggedin']; ?> == 1) {
window.location = "login-success.php";
}
Within HTML maybe
<script>
var ifloggedin = <?php echo $_SESSION['loggedin']; ?>;
</script>
|
swa66
msg:4540862 | 9:37 am on Jan 31, 2013 (gmt 0) |
I'd make sure to properly escape any user generated input before outputting it in a script context. XSS is really close by if you don't.
See rule 3: https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
|
rigaconnect
msg:4540864 | 9:43 am on Jan 31, 2013 (gmt 0) |
Thanks for information.
Then seems for login form better not use ajax...
Better use only php for processing.
|
|
