Jump to content

How secure are Sessions


dptr1988

Recommended Posts

I have a login system that uses sessions to store your userID. The userID is a public number, so I was wondering if a person could take somebody else's userID and set the session variable, and be able to login without a username and password. Let me make it plainer. Can anybody set a session variable from there web browser or only the PHP script on my server?
Link to comment
Share on other sites

i usually do, use a mainfile or include instead of just inputting it..

You could also probably verify its info by checking its original IP (from a db or whatever) and with the IP its using right now. For example...

[code]
$object = mysql_fetch_object($query);
$dbip = $object->ip;
if($dbip == $_SERVER['remote_addr'])
{

}
else
{
exit("Not authorised..");
}
[/code]
maybe something like that?
Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.