NewBob Posted April 20, 2007 Share Posted April 20, 2007 Hi everyone! I'm using a session class for holding information about the loged in user. At every page I have the server check if $session->logedIn is true or false. This is set at every pagerequest in the constructor of the session class. I'm not sure how exactly session variables are stored but I read something about it being stored in a cookie or the header? Anywho, my question is this: is it possible for someone to set his own session variable that is called logedIn and in that way make the server think that he is a loged in user granting him access to memberpages? How should I check if it is a loged in user otherwise? Thanks in advance, /Bob Link to comment https://forums.phpfreaks.com/topic/47869-about-security/ Share on other sites More sharing options...
trq Posted April 20, 2007 Share Posted April 20, 2007 Sessions are stored on the server, however, there is also a session cookie stored on the client so that php can determine which session belongs to which client. There should be no way for a client to change a session variable. Link to comment https://forums.phpfreaks.com/topic/47869-about-security/#findComment-233877 Share on other sites More sharing options...
taith Posted April 20, 2007 Share Posted April 20, 2007 true... also... the session_id() is a random based string alpha numeric... even if they find a way to change it, they got at least 1/1000000000 chance of getting somebody else's sessid... when it comes to those odds... if your going to try and hack it... i say... bring it... lol Link to comment https://forums.phpfreaks.com/topic/47869-about-security/#findComment-233885 Share on other sites More sharing options...
taith Posted April 20, 2007 Share Posted April 20, 2007 also... just as forwarning... $_SESSION[test]='test'; $test='blah'; echo $_SESSION[test]; // outputs blah which can be useful for hackers... i HIGHLY suggest against storing strings into $_SESSION...however... if you store your user info like this... $query();//your login query here $row=mysql_fetch_array($query); if(!empty($row)){ $_SESSION[user]=$row; unset($_SESSION[user][password]); } that way... you just if(is_array($_SESSION[user])&&!empty($_SESSION[user])){} you have access to all of your user information, and dont have to deal with hackers (arrays cant be transfered to $_SESSION[] through $_GET/$_POST nearly as easily...) Link to comment https://forums.phpfreaks.com/topic/47869-about-security/#findComment-233903 Share on other sites More sharing options...
NewBob Posted April 20, 2007 Author Share Posted April 20, 2007 Thanks alot you all. There's alot to think about but now I got, as the swedish saying goes, "a little more meat on my bones" /Bob Link to comment https://forums.phpfreaks.com/topic/47869-about-security/#findComment-233917 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.