session security stuff

[jk11uk]

my login page regenerates the session id then sets $_SESSION[user] = (the username logged in with)

 

this $_SESSION[user] is then used to get info on loads of different pages. would a hacker just easily be able to make a session and set their username to whatever they wanted? ofr is this seccure?

[Xurion]

No, that's a safe way to do it.

[Xurion]

Also, correct syntax would be:

 

$_SESSION['user']

[conker87]

Also, correct syntax would be:

 

$_SESSION['user']

Not really.

 

echo "$_SESSION[user]";

 

works, while

 

echo "$_SESSION['user']";

 

wouldn't.

 

 

[jk11uk]

thanks a lot everyone 

[mlin]

Not really.

 

echo "$_SESSION[user]";

 

works, while

 

echo "$_SESSION['user']";

 

wouldn't.

 

I believe you that it somehow works in your application, but he's right about the syntax. If the key is anything other than a numerical index, the key String should be quoted as such. To echo in quotes without concatenating, or saving the session var into a simpler var like $user = $_SESSION['user'], then echoing, you can use this syntax (I forget the name):

 

echo "{$_SESSION['user']}";

 

works for all arrays such as:

 

echo "favorite browser is {$browsers['favorite']}, while the worst is {$browsers['worst']}";

[PFMaBiSmAd]

The curly bracket {} method is recommend so that you can use the same syntax for variables inside of double-quoted strings that you use for variables not in strings.