M
M
Michael R.2017-09-10 11:25:40
PHP
Michael R., 2017-09-10 11:25:40

Possible to change/fake $_SESSION?

Hello!
Right now I'm writing an authorization form for mini-crm according to the following logic:
0. We look to see if this user has an active session, and if not, then.
1. I accept the entered login and password (md5) from the form.
2. If the login and password match the database, then.
3. I create session for the given user. And here the question
immediately arises : is it possible to fake this very session, which I bring to the user at the time of successful authorization? Of course, you can fasten the session to a specific ip, and write the ip itself to the database, but you need to have a list of ip if the person comes from different devices, and this is hemorrhoids ... If you can fake a session, then how in my case is it generally more optimal to protect ' with authorization? Thank you!

Answer the question

In order to leave comments, you need to log in

1 answer(s)
D
DevMan, 2017-09-10
@Mike_Ro

It is impossible to forge a session in principle, because it is created automatically by the server.
you can intercept the identifier of an already established session, but that's a completely different story.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question