Thanks, yes my knowledge of sessions was a little vague. 2007/4/9, Stut <stuttle@xxxxxxxxx>:
Ólafur Waage wrote: > Lets say i have a login system. This system authenticates the user via > mysql, when the user is authenticated, i set a session variable to let the > system know the user is authenticated. ie. $_SESSION["authenticated"] = > true; > > Lets also say i know that's how the system works, that a session variable > within my browser is set to true. Could i do this if i knew all this info > and "authenticate" myself by setting the variable from the client side? > > If it is possible, what can i do to prevent this or increase security? No. You're teminology indicates a major lack of understanding regarding how sessions work. Session variables are not "within [your] browser". The only thing stored in the browser (usually as a cookie) is the session ID. The contents of the session are stored on the server. So, given that, the answer to your question is... not unless your code is exploitable to allow the user to arbitratily set session variables. -Stut
