Re: [PHP] Session Authentication
- From: tijnema@xxxxxxxxx ("Tijnema !")
- Date: Mon, 9 Apr 2007 16:41:24 +0200
On 4/9/07, Martin Marques <martin@xxxxxxxxxxxxxxx> wrote:
Ólafur Waage escribió:
> Lets say i have a login system. This system authenticates the user via
> mysql, when the user is authenticated, i set a session variable to let the
> system know the user is authenticated. ie. $_SESSION["authenticated"] =
> true;
>
> Lets also say i know that's how the system works, that a session variable
> within my browser is set to true. Could i do this if i knew all this info
> and "authenticate" myself by setting the variable from the client side?
The only way I know is, if you use transid (transparent session id), the
cracker could hijack your session id and the system would think that
it's you (suppose that it's your session that got hijacked)
> If it is possible, what can i do to prevent this or increase security?
Yes:
Don't use transparent session id, or even better, save the
authentication in a cookie on the client (seperated from the session array).
And then the user would crack the cookie ....
I know they are encrypted, but trust me, cookies can be edited.
Tijnema
.
- Follow-Ups:
- Re: [PHP] Session Authentication
- From: Martin Marques
- Re: [PHP] Session Authentication
- References:
- Session Authentication
- From: "Ólafur Waage"
- Re: [PHP] Session Authentication
- From: Martin Marques
- Session Authentication
- Prev by Date: Re: [PHP] MD5 & bot Question
- Next by Date: RE: [PHP] redirect http to https
- Previous by thread: Re: [PHP] Session Authentication
- Next by thread: Re: [PHP] Session Authentication
- Index(es):
Relevant Pages
|
|
