Along with the other tips people gave, make sure that if you have register globals turned on, do not ever reference a session variable that way, always use $_SESSION
On Thu, 30 Sep 2004 08:39:42 -0400, Aaron Todd <[EMAIL PROTECTED]> wrote: > Can anyone tell me how secure a session variable is. I realize that if > someone wanted to take the time to break into my site they will eventually > succeed, but I dont want to make it too easy. I have a database that stores > a username and an encrypted password which both are verifyed when the user > logs in to the site. Then I have a session variable that I am checking for > on all other pages that tells the page that they are logged in. I also have > a session variable that holds the users ID in the database. Certain pages > reference that ID to show the user there data. Mainly used for a My Account > page. But If I'm logged in, how easy would it be, if its even possible, to > change the session variable that holds my ID to someone elses ID so I can > get their data. > > I hope I have explained myself enough for someone to know what I am talking > about. If anyone has some good web sites on session security I'd really > like to read them. > > Thanks, > > Aaron > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php