is it smart enough to use session id to identify user when he wants to change his user details.
For example, if i read the username value from the cookie and then alow user to change data on his page can someone else put some username in a cookie on their machine and then modify other people's info?
I was thinking about storing the session info in the table and then to compare if username in the cookie matches the active session ID i have in the table?
what do you guys think?
is it smart enough to use session id to identify user ?
Moderator: General Moderators
Re: is it smart enough to use session id to identify user ?
No. it is strongly recommended to have the user re-login to verify credentials and change / view any of their information. It is usually enough, however, to identify them from script -to- script when viewing the site.Milan wrote:is it smart enough to use session id to identify user when he wants to change his user details.
This is technically possible, yes. Maybe not very probable given certain situations but do you want to take the chance?For example, if i read the username value from the cookie and then alow user to change data on his page can someone else put some username in a cookie on their machine and then modify other people's info?
Again, this is fine for general identification, tracking the user on the site, etc.I was thinking about storing the session info in the table and then to compare if username in the cookie matches the active session ID i have in the table?