spfoonnewb Posted January 27, 2007 Share Posted January 27, 2007 I have a login script that uses sessions and cookies, all the session will contain is the username of the user, and the password they are using (Encrypted). Each page behind that is using that session username and password, and testing it against the database before doing anything. If it doesn't match the database.. i.e it has been edited it redirects to the login page to fix the session.Right now I am forcing cookies, do you think that allowing PHPSID's would be a security vulnerability?[code]<?php SetCookie("COOKIE", "TEST"); if ($COOKIE == "TEST") { } else { header("location:cookies.php");} ?> [/code] Link to comment https://forums.phpfreaks.com/topic/35965-session-security-question/ Share on other sites More sharing options...
chriscloyd Posted January 27, 2007 Share Posted January 27, 2007 wouldnt it be $_COOKIE['cookie'] Link to comment https://forums.phpfreaks.com/topic/35965-session-security-question/#findComment-170557 Share on other sites More sharing options...
spfoonnewb Posted January 27, 2007 Author Share Posted January 27, 2007 Dunno, but that works fine, I am wondering about the security of not forcing cookies Link to comment https://forums.phpfreaks.com/topic/35965-session-security-question/#findComment-170564 Share on other sites More sharing options...
Orio Posted January 27, 2007 Share Posted January 27, 2007 Read:http://www.sitepoint.com/blogs/2004/03/03/notes-on-php-session-security/http://phpsec.org/projects/guide/4.htmlOrio. Link to comment https://forums.phpfreaks.com/topic/35965-session-security-question/#findComment-170566 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.