--- Pablo Gosse <[EMAIL PROTECTED]> wrote:
> In all honesty I don't know enough about how one would go about
> attempting to hack the values of a session other than through hacking
> into the session files, so if anyone has any input on this please pass
> it along.
Well, you basically hit the nail on the head (which means you're right, in
case that phrase makes no sense to anyone).
Short of any severe bugs in PHP's core, there is no way for a user of your
Web application to modify session data. This data can be modified by you
(so users can potentially modify session data if you have a flaw in your
logic, notably $_SESSION['foo'] = $_GET['foo']), or by physical access to
the session data store (/tmp, a database, or whatever).
So, as far as writing PHP goes, concern yourself with ensuring all data is
filtered prior to being stored in the session. A strict naming convention
can help here.
As far as the environment goes, there are of course many more factors, but
you basically want to protect your session data store as you would
personal user data or anything else like that.
Hope that helps.
Chris
=====
My Blog
http://shiflett.org/
HTTP Developer's Handbook
http://httphandbook.org/
RAMP Training Courses
http://www.nyphp.org/ramp
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
