On Mon, April 9, 2007 7:39 am, Ólafur Waage wrote: > Lets say i have a login system. This system authenticates the user via > mysql, when the user is authenticated, i set a session variable to let > the > system know the user is authenticated. ie. $_SESSION["authenticated"] > = > true; > > Lets also say i know that's how the system works, that a session > variable > within my browser is set to true. Could i do this if i knew all this > info > and "authenticate" myself by setting the variable from the client > side? No. You are confusing the Cookie (which is a random value to tie the user to their session, with the actual session data, which lives on the server. They might be able to hijack somebody else's session cookie to break into another account -- but they can't just set 'authenticate' to 1 in a file on the server. > If it is possible, what can i do to prevent this or increase security? -- Some people have a "gift" link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
