1. Where is the session variable stored? server side or client cookie?
However,
the sessionid is passed back and forth between the server and the client, of course. But that should not be a problem, because of the
(pseudo) random and quite complex nature of sessionids it would be
hard to guess someone else's sessionid.
Yes, it's hard to guess the id of a session. However, if you were to snoop HTTP traffic and intercepted someone's HTTP header, then you could easily use that session id to hijack someone else's session by submitting the same cookie header to the server.
You can try other techniques of preventing this from happening, including comparing IP addresses from requests (see the archives for a discussion of this; including how it doesn't always work!).
-chris
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
