Em Segunda 09 Abril 2007 10:04, Stut escreveu: > Ólafur Waage wrote: > > Lets say i have a login system. This system authenticates the user via > > mysql, when the user is authenticated, i set a session variable to let > > the system know the user is authenticated. ie. $_SESSION["authenticated"] > > = true; > > > > Lets also say i know that's how the system works, that a session variable > > within my browser is set to true. Could i do this if i knew all this info > > and "authenticate" myself by setting the variable from the client side? > > > > If it is possible, what can i do to prevent this or increase security? > > No. You're teminology indicates a major lack of understanding regarding > how sessions work. Session variables are not "within [your] browser". > The only thing stored in the browser (usually as a cookie) is the > session ID. The contents of the session are stored on the server. > > So, given that, the answer to your question is... not unless your code > is exploitable to allow the user to arbitratily set session variables. > > -Stut
Sessions are stored in the temporary's server folder... So... If I known my session ID and where it's stored, I can do something... -- Davi Vidal [EMAIL PROTECTED] [EMAIL PROTECTED] -- Agora com fortune: "Welcome to alt.os.linux.slackwre. We hope you will enjoy your stay. Your answer is here: <URL:http://www.catb.org/~esr/faqs/smart-questions.html> -- Faux Pseudo" -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
