Page 1 of 1
Can I trust $_SESSION ?
Posted: Thu Jan 18, 2007 3:36 am
by kaisellgren
Hi,
Can I trust $_SESSION globalvariable?
I have a script that only checks if it has $_SESSION["userid"], if it does have then it continues without password checking. Can anyone fake $_SESSION ?
Posted: Thu Jan 18, 2007 5:32 am
by Kieran Huggins
You should use a PCRE to validate the session global. We'll could all pitch in and write one for you if you want...... oh wait, never mind.
search results
Posted: Thu Jan 18, 2007 5:39 am
by Mordred
There are also possible issues with file-based sessions on shared hostings, where one site could potentially access the session files of another. This depends on the hosting configuration of course, but the general feelings towards this problem seem to be that one should implement database-based sessions.
Posted: Sun Jan 21, 2007 2:17 am
by Zyxist
Here you can find, how to fight against various attacks on PHP sessions. The article should be very useful for you:
http://phpsec.org/projects/guide/4.html