Brian: What way should you not reference session variables? I seem to have missed that part of the discussion... Sorry.
Gary On Thu, 30 Sep 2004 10:17:51 -0500, Brian <[EMAIL PROTECTED]> wrote: > Along with the other tips people gave, make sure that if you have > register globals turned on, do not ever reference a session variable > that way, always use $_SESSION > > > > > On Thu, 30 Sep 2004 08:39:42 -0400, Aaron Todd <[EMAIL PROTECTED]> wrote: > > Can anyone tell me how secure a session variable is. I realize that if > > someone wanted to take the time to break into my site they will eventually > > succeed, but I dont want to make it too easy. I have a database that stores > > a username and an encrypted password which both are verifyed when the user > > logs in to the site. Then I have a session variable that I am checking for > > on all other pages that tells the page that they are logged in. I also have > > a session variable that holds the users ID in the database. Certain pages > > reference that ID to show the user there data. Mainly used for a My Account > > page. But If I'm logged in, how easy would it be, if its even possible, to > > change the session variable that holds my ID to someone elses ID so I can > > get their data. > > > > I hope I have explained myself enough for someone to know what I am talking > > about. If anyone has some good web sites on session security I'd really > > like to read them. > > > > Thanks, > > > > Aaron > > > > -- > > PHP General Mailing List (http://www.php.net/) > > To unsubscribe, visit: http://www.php.net/unsub.php > > > > > > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
