Jump to content

Editing session files


Recommended Posts

Okay, someone tell me if this is totally off--but I was able to edit my session file created by my site and it logged me in as someone else. I just changed the number and the name and i was logged in as the other person...

My question is, couldn't anyone just go in there and change it? If they know the ID of the user and the username they could just log in as anyone.

How can I make it more secure?
Link to comment
Share on other sites

This will only be possible if you are the Admin of the site, ie you have ftp/control panel access to your site. Sessions by default are stored on the server, usually within a folder called tmp which should be out of reach from public access, as its outside your servers document root.

But if the sessions data is being written to a cookie, (not the session id), then I would advise you either get the host to change this, or to write your own session handler.
Link to comment
Share on other sites

This thread is more than a year old. Are you sure you have something important to add to it?

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.