> I'm not worried about them using the query string for malicious purposes- > I > have register_globals off... I'm worried about someone messing with their > cookie and sedding authorized to true- that _will_ change my $_SESSION > variable, unless I can find some way to ignore cookies, which brings us > back > to my original question- how do i ignore all client input, _especially_ > cookies???
Okay, you're confused. The only thing stored in a cookie with sessions is the session id. That relates to a file or database record where the actual data is stored. This session id is made so it's random and very hard to guess. So they can modify it all they want, odds are very good they'll never hit another active session id (otherwise sessions would be useless). So, $_SESSION[] is data that's only stored on your server, $_GET, $_POST, and $_COOKIE is data that's coming from the user and shouldn't be trusted. If you have your own server, $_SESSION is safe. On a virtual server that's shared with other people, other people's scripts on the same server could modify your session files. ---John Holmes... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
