Jump to content

Archived

This topic is now archived and is closed to further replies.

pixy

Editing session files

Recommended Posts

Okay, someone tell me if this is totally off--but I was able to edit my session file created by my site and it logged me in as someone else. I just changed the number and the name and i was logged in as the other person...

My question is, couldn't anyone just go in there and change it? If they know the ID of the user and the username they could just log in as anyone.

How can I make it more secure?

Share this post


Link to post
Share on other sites
This will only be possible if you are the Admin of the site, ie you have ftp/control panel access to your site. Sessions by default are stored on the server, usually within a folder called tmp which should be out of reach from public access, as its outside your servers document root.

But if the sessions data is being written to a cookie, (not the session id), then I would advise you either get the host to change this, or to write your own session handler.

Share this post


Link to post
Share on other sites
OOh, okay. I did look and they were in a tmp file--but I assumed that was the tmp file on my computer. Thanks for clarification!!

Share this post


Link to post
Share on other sites

×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.