Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I’ve developed my website that checks if the user is registered and creates a session variable with the username. It’s all that is stored as a session variable. If I want to protect my pages (so that only registered users may see them), I check if the session variable is set. Is this secure? Or can you give a more secure method?
Generally, the Session is server side, but If I somehow get the Session ID I can just hijack it.
I’d recommend at least storing either the IP and maybe also the User-Agent, and in case of mismatch, invalidate the Session.