Jump to content


Photo

Editing session files


  • Please log in to reply
2 replies to this topic

#1 pixy

pixy
  • Members
  • PipPipPip
  • Advanced Member
  • 295 posts

Posted 25 July 2006 - 07:21 PM

Okay, someone tell me if this is totally off--but I was able to edit my session file created by my site and it logged me in as someone else. I just changed the number and the name and i was logged in as the other person...

My question is, couldn't anyone just go in there and change it? If they know the ID of the user and the username they could just log in as anyone.

How can I make it more secure?

This is a .44 Caliber Loveletter straight through my heart.

Tabulas + Threadless + Hire Me!


#2 wildteen88

wildteen88
  • Staff Alumni
  • Advanced Member
  • 10,482 posts
  • LocationUK, Bournemouth

Posted 26 July 2006 - 01:26 PM

This will only be possible if you are the Admin of the site, ie you have ftp/control panel access to your site. Sessions by default are stored on the server, usually within a folder called tmp which should be out of reach from public access, as its outside your servers document root.

But if the sessions data is being written to a cookie, (not the session id), then I would advise you either get the host to change this, or to write your own session handler.

#3 pixy

pixy
  • Members
  • PipPipPip
  • Advanced Member
  • 295 posts

Posted 29 July 2006 - 05:24 PM

OOh, okay. I did look and they were in a tmp file--but I assumed that was the tmp file on my computer. Thanks for clarification!!

This is a .44 Caliber Loveletter straight through my heart.

Tabulas + Threadless + Hire Me!





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users