> > Sure, why not? Users can't create session variables (unless you're on a > > virtual server...) > > ... and I am -- A shared host server that is.
Now I'm not sure on this, I haven't tested it. Has anyone? If we're on a virtual server, why can't I just open the session.save_path with PHP and read all of the files. Determine which one is yours and try to determine which variables you are saving. Say you are setting $_SESSION['logged_in'] = 1 and $_SESSION['admin'] = "Yes". Then your session file will look like a serialized version of the $_SESSION array. So say I figure out which ones are yours. I use a PHP script to write my own bad_session_file.whatever in the session folder. Then I call up your web page with www.example.com?PHPSESSID=bad_session_file and PHP will load up the session file I just created and make me an admin... Like I said, I haven't tested it though. Safe mode might protect against this, not sure. Anyone have any experience here? ---John Holmes... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php