There is a flaw in the incSession.php logic which assumes that the header() calls will always do the right thing!

A quick fix just includes putting exit(); directly after the header(); statements, so that if the header() fails then your script will exit anyway and will not fall through to allow access to someone not authorised.

A slightly better solution is to replace your incSession.php code with the one included in this archive. This code allows for headers already sent and will try java and plain html redirects and if all fails will exit anyway, thus preventing someone unauthorised gaining access.

This is not the complete package. only includes incSession.php

all credit goes to the original authors for a fantasic patch!

Cheers
Lukec


More...