Code: Select all
//validation completed and OK
$_SESSION['user']=$username;Code: Select all
if (!isset ($_SESSION['user'])){
die;
}
else{
//run the page
}
Is this safe enough? Could users somehow switch value of the session and be treated as other user? This would be really bad for me, because I use username from that session not just for authentication, but for everything else, for example, when I need to write to database, and I need User_id, I query the database like this
Code: Select all
$user=$_SESSION['user'];
$query=mysql_query("SELECT id FROM table WHERE username='$user'");So - is it possible to someone to change value of a session (I know it shouldn't be because sessions are stored on the server), and should I add some random data to my sessions?