Hi Shaun, > If i use sid in the url , is it dangerous - > can hackers gain info on important variables > storing username and passwords or is it save > to use , if not what should i do.
Theoretically, if you guess or sniff someone's session ID, you can hijack their session. That doesn't mean you can find out the contents of every variable if they're not displayed; you'd need to compromise the web server for that (and if someone can get onto your server, you have bigger problems than session hijacking). What can you do? <shrug> Live with it or serve over HTTPS, I suppose. Nothing that travels via vanilla HTTP is secure. You can minimise the likelihood of a SID being *guessed* by generating your own and making them insanely long (128 chars, for example), but IMHO that's overkill. It might be an idea to reduce the expiry time as well - you can do this in php.ini. Even if you do have a session hijacked, you can limit any damage by good app design: for example, don't stored passwords in the session and then have a header at the top of every page saying "hello $username, your password is $password" :-) Cheers Jon -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
