Data only comes into the session when you, as a developer, put the user into the session using the code you write. Thus, sessions are as secure as the data that you allow them, and how you trust and use this data. In addition, sessions are based on the session identifier that the client uses to identify the session user. If someone captures the session identifier, then they can emulate the user whose session identifier they stole. This can happen when sending messages without SSH. Therefore, do not trust the session identifier to identify the user (for important things), if they are not logged in, and the sessionID is transmitted only in protected mode.
- "" sessionID, . , , , , , "" PHP.
, XSS. , , XSS.