Ólafur Waage wrote:
Lets say i have a login system. This system authenticates the user via mysql, when the user is authenticated, i set a session variable to let the system know the user is authenticated. ie. $_SESSION["authenticated"] = true; Lets also say i know that's how the system works, that a session variable within my browser is set to true. Could i do this if i knew all this info and "authenticate" myself by setting the variable from the client side? If it is possible, what can i do to prevent this or increase security?
No. You're teminology indicates a major lack of understanding regarding how sessions work. Session variables are not "within [your] browser". The only thing stored in the browser (usually as a cookie) is the session ID. The contents of the session are stored on the server.
So, given that, the answer to your question is... not unless your code is exploitable to allow the user to arbitratily set session variables.
-Stut -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
