Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
Is there any scenario where a client/user/hacker can set $_SESSION variables themselves (excluding malicious software running on a server computer. I mostly mean via the browser)?
The reason I ask is because of this question that I asked a few days ago. Since then I have become pretty confused on the subject, but I’ve got a better idea of session fixation and hijacking.
To put it as simply as possible, if I validate every page with something like isset($_SESSION['validated']), is it secure?
Yes if you were assigning
$_SESSIONvariables directly to unfiltered user input.Which brings me to my point: NEVER TRUST INPUT FROM THE USER. EVER
If indeed you are filtering the input, then I don’t see how it could be done.