0

Hello all,

Just wanted to see if I am leaving open some security hole in a script I have! When the user logs in it creates a session based on the id field of the users table! For example .... my id is 10 so a session is created with based on that.

What I wanted to know is if I want a secure way to identify a genuine user based on their session then should I make this session more complicated by adding further details? Or even create multiple sessions?

I am currently checking the user against my sql table id against their session but thought that if someone created a session from another website with for example the number 10 then I wouldnt want them being able to access my members account whose ID number is 10!

Hope this makes sense and someone can clarify the best way around it

Thanks

3
Contributors
2
Replies
3
Views
8 Years
Discussion Span
Last Post by somedude3488
0

Its pretty secure. Adding more info and creating extra session is unnecessary overhead.

The best way to prevent this is to run session_regenerate_id(true).

[kireol explains everything nicely, I posted at the same time. Didn't see that post]

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.