Can anyone tell me how secure a session variable is. I realize that if someone wanted to take the time to break into my site they will eventually succeed, but I dont want to make it too easy. I have a database that stores a username and an encrypted password which both are verifyed when the user logs in to the site. Then I have a session variable that I am checking for on all other pages that tells the page that they are logged in. I also have a session variable that holds the users ID in the database. Certain pages reference that ID to show the user there data. Mainly used for a My Account page. But If I'm logged in, how easy would it be, if its even possible, to change the session variable that holds my ID to someone elses ID so I can get their data.
I hope I have explained myself enough for someone to know what I am talking about. If anyone has some good web sites on session security I'd really like to read them. Thanks, Aaron -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
