Highland wrote:
I assume you're talking about session poisoning. It's possible because PHP lets the end user set their own session by declaring PHPSESSIONID=MYSESSIONID and, thus, your session_id() would return "MYSESSIONID", instead of a random hash. I wouldn't worry about using cookies. There's no real advantage and, IMO, URL based tracking draws more attention to the session (plus you run the risk that someone shares the URL socially and now you have two users with the same session).
Because users don't have any innate way to write what goes into the session itself (unless you have an insecure app), I wouldn't worry too much about that either. Session files are not executable.
Hello. Thank you very much for answering !
I don't show the session id in the address bar. I guess this isn't a problem for me right ?
The previous part I havent understood it yet !
I didn't want to use cookies in the first place because many browsers or freaked out users don't work with cookies. Plus I read many topics on google that sessions are supposed to be by nature more secure than cookies since they rely on the server side and a user cannot see them or edit them.
So a user can actually mess up "edit" a session file somehow ?
Login
Register
FAQ
Search
