On 4/9/07, Martin Marques <martin@xxxxxxxxxxxxxxx> wrote:
Ólafur Waage escribió: > Lets say i have a login system. This system authenticates the user via > mysql, when the user is authenticated, i set a session variable to let the > system know the user is authenticated. ie. $_SESSION["authenticated"] = > true; > > Lets also say i know that's how the system works, that a session variable > within my browser is set to true. Could i do this if i knew all this info > and "authenticate" myself by setting the variable from the client side? The only way I know is, if you use transid (transparent session id), the cracker could hijack your session id and the system would think that it's you (suppose that it's your session that got hijacked) > If it is possible, what can i do to prevent this or increase security? Yes: Don't use transparent session id, or even better, save the authentication in a cookie on the client (seperated from the session array).
And then the user would crack the cookie .... I know they are encrypted, but trust me, cookies can be edited. Tijnema -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
