Ólafur Waage wrote:
Lets say i have a login system. This system authenticates the user via
mysql, when the user is authenticated, i set a session variable to let the
system know the user is authenticated. ie. $_SESSION["authenticated"] =
true;
Lets also say i know that's how the system works, that a session variable
within my browser is set to true. Could i do this if i knew all this info
and "authenticate" myself by setting the variable from the client side?
If it is possible, what can i do to prevent this or increase security?
No. You're teminology indicates a major lack of understanding regarding
how sessions work. Session variables are not "within [your] browser".
The only thing stored in the browser (usually as a cookie) is the
session ID. The contents of the session are stored on the server.
So, given that, the answer to your question is... not unless your code
is exploitable to allow the user to arbitratily set session variables.
-Stut
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
