User can modify server side PHP session? How is that possible? Can you provide me any links to read up on?
thanks in advance Brett!
On Sun, 03 Dec 2006 02:46:06 +1100, Brett Patterson brett@bpatterson.net
wrote:
Stefan Rompf wrote:
Am Samstag, 2. Dezember 2006 00:25 schrieb Chris Fordham:
Does the user require cookies to use Roundcube, or would this add that requirement?
Roundcube already uses (and IMHO requires) cookies, so this does not
change anything.Stefan
Well, honestly Sessions can be changed by the user easily. There are
extensions for Firefox that allow just people who are playing around to
modify their session. This can either make or break the system.Cookies, while more difficult to modify, are still modifiable, as well
as easily visible.One thing that I would suggest is that IF you need to keep the password
in the session or in a cookie, the password and other vital information
is encrypted in some way, either with the mcrypt library or through a
user created encryption method. This would be much safer so that if
someone did try to view the information, it would be encrypted. Just my
suggestion(s).~Brett