Hello Digital Point, I wanted to know, can a user change a session variable? I need to know so that I don't create errors and put unescaped info in the db. Thanks, -Tony
Not realy but users can hijack the sessions, please read more about session security here http://phpsec.org/projects/guide/4.html gl.
I mean can a user change something stored in their session? Like their username, for example. ($_SESSION['username']) -Tony
When you use PHP Sessions an HTTP COOKIE is created on the visitors computer storing an ID. That ID is used to fetch the data on the server in the /tmp directory. Can a visitor modify their cookies? Yes, because it's stored on their computer. Can a visitor change the corresponding data on the server? No, because it's stored on a remote computer. The only thing they can do is change the session id to one which is invalid.