NewBob Posted April 20, 2007 Share Posted April 20, 2007 Hi everyone! I'm using a session class for holding information about the loged in user. At every page I have the server check if $session->logedIn is true or false. This is set at every pagerequest in the constructor of the session class. I'm not sure how exactly session variables are stored but I read something about it being stored in a cookie or the header? Anywho, my question is this: is it possible for someone to set his own session variable that is called logedIn and in that way make the server think that he is a loged in user granting him access to memberpages? How should I check if it is a loged in user otherwise? Thanks in advance, /Bob Quote Link to comment Share on other sites More sharing options...
trq Posted April 20, 2007 Share Posted April 20, 2007 Sessions are stored on the server, however, there is also a session cookie stored on the client so that php can determine which session belongs to which client. There should be no way for a client to change a session variable. Quote Link to comment Share on other sites More sharing options...
taith Posted April 20, 2007 Share Posted April 20, 2007 true... also... the session_id() is a random based string alpha numeric... even if they find a way to change it, they got at least 1/1000000000 chance of getting somebody else's sessid... when it comes to those odds... if your going to try and hack it... i say... bring it... lol Quote Link to comment Share on other sites More sharing options...
taith Posted April 20, 2007 Share Posted April 20, 2007 also... just as forwarning... $_SESSION[test]='test'; $test='blah'; echo $_SESSION[test]; // outputs blah which can be useful for hackers... i HIGHLY suggest against storing strings into $_SESSION...however... if you store your user info like this... $query();//your login query here $row=mysql_fetch_array($query); if(!empty($row)){ $_SESSION[user]=$row; unset($_SESSION[user][password]); } that way... you just if(is_array($_SESSION[user])&&!empty($_SESSION[user])){} you have access to all of your user information, and dont have to deal with hackers (arrays cant be transfered to $_SESSION[] through $_GET/$_POST nearly as easily...) Quote Link to comment Share on other sites More sharing options...
NewBob Posted April 20, 2007 Author Share Posted April 20, 2007 Thanks alot you all. There's alot to think about but now I got, as the swedish saying goes, "a little more meat on my bones" /Bob Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.