Hello Support,
let's suppose there are TWO PHPRunner 4.1 projects on the same server in
D:\...PATH1\xx_list.php Application 1 created with PHPRunner
D:\...PATH2\yy_list.php Application 2 created with PHPRunner in a different path
User logs into Application 1 with UserID as Primary Key of Application.
Everything is okay..he is working with Application 1..His UserID is stored in $_SESSION["UserID"].
He knows one page of Apllication 2 on the same server.
Application 2 has nothing to do with application 1 .
So, my customer now writes the link yy_list.php for Application 2 directly into the existing browser-Window of Application 1.
As I see, because $_SESSION["UserID"] exists, he now sees the page of a quite different PHPRunner-Application 2,
although he is not a registered Person in Application2. But because of the existing SESSION-Variable
PHPRunner allows access to Application 2.
The manual input of php-page in Browser does'nt destroy the SESSION-Variables of
PHP. To get access to Application 2 he does no LOGIN, but directly goes to the known page of
application 2.
User get access to Application 2 because of $_SESSION["UserID"] of Application 1 without doing LOGIN in Application 2
Security ??? Or I'm doing something wrong..??
Best regards
Uwe Pfeiffer
