pixy Posted July 25, 2006 Share Posted July 25, 2006 Okay, someone tell me if this is totally off--but I was able to edit my session file created by my site and it logged me in as someone else. I just changed the number and the name and i was logged in as the other person...My question is, couldn't anyone just go in there and change it? If they know the ID of the user and the username they could just log in as anyone.How can I make it more secure? Quote Link to comment Share on other sites More sharing options...
wildteen88 Posted July 26, 2006 Share Posted July 26, 2006 This will only be possible if you are the Admin of the site, ie you have ftp/control panel access to your site. Sessions by default are stored on the server, usually within a folder called tmp which should be out of reach from public access, as its outside your servers document root.But if the sessions data is being written to a cookie, (not the session id), then I would advise you either get the host to change this, or to write your own session handler. Quote Link to comment Share on other sites More sharing options...
pixy Posted July 29, 2006 Author Share Posted July 29, 2006 OOh, okay. I did look and they were in a tmp file--but I assumed that was the tmp file on my computer. Thanks for clarification!! Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.