> I'm not worried about them using the query string for malicious
> I
> have register_globals off... I'm worried about someone messing with
> cookie and sedding authorized to true- that _will_ change my $_SESSION
> variable, unless I can find some way to ignore cookies, which brings
> back
> to my original question- how do i ignore all client input,
> cookies???

Okay, you're confused. The only thing stored in a cookie with sessions
is the session id. That relates to a file or database record where the
actual data is stored. This session id is made so it's random and very
hard to guess. So they can modify it all they want, odds are very good
they'll never hit another active session id (otherwise sessions would be

So, $_SESSION[] is data that's only stored on your server, $_GET,
$_POST, and $_COOKIE is data that's coming from the user and shouldn't
be trusted. If you have your own server, $_SESSION is safe. On a virtual
server that's shared with other people, other people's scripts on the
same server could modify your session files.

---John Holmes...

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to