Posted by Gordon Burditt on 02/18/07 18:36

>I have a security mechanism that checks that session variables are set,
>and if not, redirects. It seems, however, that CURL just ignores this
>statement and completely breaches my security.
>
>Does anyone have any ideas how to avoid this?

If you send sensitive data to the browser anyway when it fails
requirements for getting it, you have no security. Never depend
on the browser to do what you want. It could just be something
that sucks down the response and stores it in a file, or a telnet
client that logs the session. Oh, yes, ordinary clients might cache
it where it can be found by a user, also.

One of the more likely clients to ignore your "security" mechanism
is a search engine.

• Next in forum: Re: getting last file from linux directory
• Prev in forum: Re: should i use some framework out there?
• Thread view: Re: CURL ignores $_SESSION???

[Reply to this message]