Hi,
Can I trust $_SESSION globalvariable?
I have a script that only checks if it has $_SESSION["userid"], if it does have then it continues without password checking. Can anyone fake $_SESSION ?
Can I trust $_SESSION ?
Moderator: General Moderators
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
- Kieran Huggins
- DevNet Master
- Posts: 3635
- Joined: Wed Dec 06, 2006 4:14 pm
- Location: Toronto, Canada
- Contact:
There are also possible issues with file-based sessions on shared hostings, where one site could potentially access the session files of another. This depends on the hosting configuration of course, but the general feelings towards this problem seem to be that one should implement database-based sessions.
Here you can find, how to fight against various attacks on PHP sessions. The article should be very useful for you:
http://phpsec.org/projects/guide/4.html
http://phpsec.org/projects/guide/4.html