Menu
Page1.php:
<?php
session_start();
if ($_POST['password'] == "testpass")
$_SESSION['authenticated'] = true;
?>Page2.php
<?php
session_start();
if (isset($_SESSION['authenticated']) && $_SESSION['authenticated'] == true) {
echo "Super secret stuff!";
}
?>Can a user get in without the super secure password?
695
The $_SESSION is stored entirely on the server, so the user cannot modify it.
No. The data in the $_SESSION variable is stored on the server, inaccessible from the user. A session is coupled to a user through a cookie.
Sessions are NOT serverside, they are stored on the clients local machine (you can go in your cookies and look for a cookie called phpssid under your domain name). Yes they can be hacked, and this is in fact a very common method of hacking.
No. The data in the $_SESSION variable is stored on the server, inaccessible from the user.
A session is coupled to a user through a cookie. A cookie with a identifier (i.e. a long random string) is sent to the user to identify the user and link him to his session. If somebody else gains access to this cookie, he can use that same code to pretent he is the user, and that way he can get in without the password.
157
Session could be modified in different occasions.. See this -> Session Poisoning
42
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
