Answer the question
In order to leave comments, you need to log in
Possible to change/fake $_SESSION?
Hello!
Right now I'm writing an authorization form for mini-crm according to the following logic:
0. We look to see if this user has an active session, and if not, then.
1. I accept the entered login and password (md5) from the form.
2. If the login and password match the database, then.
3. I create session for the given user. And here the question
immediately arises : is it possible to fake this very session, which I bring to the user at the time of successful authorization?
Of course, you can fasten the session to a specific ip, and write the ip itself to the database, but you need to have a list of ip if the person comes from different devices, and this is hemorrhoids ...
If you can fake a session, then how in my case is it generally more optimal to protect ' with authorization?
Thank you!
Answer the question
In order to leave comments, you need to log in
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question