> Can anyone tell me how secure a session variable is. I realize that if > someone wanted to take the time to break into my site they will eventually > succeed, but I dont want to make it too easy. I have a database that stores > a username and an encrypted password which both are verifyed when the user > logs in to the site. Then I have a session variable that I am checking for > on all other pages that tells the page that they are logged in. I also have > a session variable that holds the users ID in the database. Certain pages > reference that ID to show the user there data. Mainly used for a My Account > page. But If I'm logged in, how easy would it be, if its even possible, to > change the session variable that holds my ID to someone elses ID so I can > get their data.
all session data is stored on the server. The only thing on the client is the session id. So somone would have to change that session id to get someone elses info and you can make that harder to do. I found this link, it has some good info. http://shiflett.org/talks/phpworks2004-php-session-security/0 should give you some pointers -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
