Starting a session?

Question

Starting a session?

How to place user id in a session? just paste id? I mean (for example):

$_SESSION['id'] = 1;

Can't change it by the user (like cookie ..)? Because, if so, it can go to any identifier.

One more question - how can I check if a user is registered (with sessions)? I created a session:

 $_SESSION['is_logged_in'] = true;

Again, can the user simply create a session whose name is "is_logged_in" and its value is true? or only the server has control over the value of the server?

+6

security php session

Luis 30 sept '11 at 21:24

source share

1 answer

xthexder · Accepted Answer · 2011-09-30T21:27:10+0000

All session variables in PHP are stored on the server side. The client stores a cookie that refers to this session, and then the server looks at the values for the session. It is safe to store is_logged_in in your session, as well as the user ID.

What you should be aware of is that if another user grabs another cookie for a user's session, he will be able to simulate that user until the session ends. One simple solution is to associate sessions with IP addresses.

Starting a session?

More articles: