Re: faking session data
- From: Bert Melis <bert.melis@xxxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 30 Aug 2005 21:10:15 +0200
Marcus wrote:
The session data values are stored on the server. The session id however is passed to the client. In the worst case, the client could fake the id and hijack another session.Hello all,
I have written numerous functions that check all user entered data on my site via POST and GET. My question is this: once my data checks out as being valid, I sometimes store it in SESSION as I move between pages, and eventually use the values in SESSION to update my database. Do I need to re-check the values in SESSION to make sure they are still valid before updating the database? In other words, I know session data resides on the server, but how possible/likely is it that a malicious user could fake session data after or in lieu of my initial error checks? All pages are protected by SSL if that makes any difference. Thanks in advance.
Marcus
.
- References:
- faking session data
- From: Marcus
- faking session data
- Prev by Date: Re: faking session data
- Next by Date: Re: Recommend good php editor
- Previous by thread: Re: faking session data
- Next by thread: Recommend good php editor
- Index(es):
Relevant Pages
|
