php_guy Posted February 5, 2011 Share Posted February 5, 2011 Hello all, I have this at the top of my page to ensure that only logged in users can see the content if(!isset($_SESSION['myusername'])){ header("Location:login.php"); exit; } else { $username = $_SESSION['myusername']; } This, of course is checked in the login form against a database and only stored in $_SESSION once it's verified... Now, my question is -- how secure is this? For example, could someone have $_SESSION['myusername'] set from another webpage, then navigate to mine and be able to see the protected content? Quote Link to comment https://forums.phpfreaks.com/topic/226737-security-of-_session/ Share on other sites More sharing options...
johnny86 Posted February 5, 2011 Share Posted February 5, 2011 Session data is stored locally on the server. So there is no way another site could spoof session data. The problem you're describing could be that someone had a valid PHP session ID stored in their cookie for your site. Note that cookies cannot be set by other site to point to your domain. You could look into PHPFreaks tutorial here: http://www.phpfreaks.com/tutorial/php-security Quote Link to comment https://forums.phpfreaks.com/topic/226737-security-of-_session/#findComment-1170088 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.