Member Avatar for justted

Hello all,

Just wanted to see if I am leaving open some security hole in a script I have! When the user logs in it creates a session based on the id field of the users table! For example .... my id is 10 so a session is created with based on that.

What I wanted to know is if I want a secure way to identify a genuine user based on their session then should I make this session more complicated by adding further details? Or even create multiple sessions?

I am currently checking the user against my sql table id against their session but thought that if someone created a session from another website with for example the number 10 then I wouldnt want them being able to access my members account whose ID number is 10!

Hope this makes sense and someone can clarify the best way around it

Thanks

  • 3 Contributors
  • 2 Replies
  • 107 Views
  • 6 Hours Discussion Span
  • Latest Post Latest Post by somedude3488

Recommended Answers

All 2 Replies

Member Avatar for somedude3488

Its pretty secure. Adding more info and creating extra session is unnecessary overhead.

The best way to prevent this is to run session_regenerate_id(true).

[kireol explains everything nicely, I posted at the same time. Didn't see that post]

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.