https://www.webmaster-forums.net/crss/node/1037156 en https://www.webmaster-forums.net/serverside-scripting/session-security#comment-1213409 <blockquote class="bb-quote-body"><p><strong>JeevesBond;213396 wrote:</strong> ...The only thing stored on the client is the sessionid. You don't need to use MySQL to store your session information: that's what FrankR is saying, you can use a server side cookie instead....</p></blockquote> <p>That's exactly what I am saying. Additionally, JavaScript can be used to steal the sessionid from the cookie on the users machine if any user-supplied content with code is allowed. It is all too common!</p> <p>Frank</p> Fri, 12 Jan 2007 12:12:12 +0000 FrankR comment 1213409 at https://www.webmaster-forums.net https://www.webmaster-forums.net/serverside-scripting/session-security#comment-1213396 <p>I think what FrankR is saying is that this information is not stored on the client machine, it's stored on the server (in the /tmp directory). The only thing stored on the client is the sessionid. You don't need to use MySQL to store your session information: that's what FrankR is saying, you can use a server side cookie instead.</p> <p>If you did put more information into your client side cookie (and treat that as being reliable) then yes, you are asking for trouble. <img src="https://www.webmaster-forums.net/misc/smileys/smile.png" title="Smiling" alt="Smiling" class="smiley-content" /> Never trust what the client sends you! Using $_SESSION will not lead to anything other than the sessionid being stored on the client.</p> Fri, 12 Jan 2007 09:54:28 +0000 JeevesBond comment 1213396 at https://www.webmaster-forums.net https://www.webmaster-forums.net/serverside-scripting/session-security#comment-1213357 <p>I do a lot of work on some pages with javascript as well.</p> <p>1) Can it access the same session information or is it simply not possible?<br /> 2) Say I were to put "accountLevel = 5;" inside a &lt;script&gt; in my header file. This is EASILY changed through "javascript:accountLevel = 10" in the address bar. What can I do to combat this or do some other method?</p> Fri, 12 Jan 2007 04:05:03 +0000 Triexa.com comment 1213357 at https://www.webmaster-forums.net https://www.webmaster-forums.net/serverside-scripting/session-security#comment-1213351 <p>It's a safe as the PHP configuration on the server. The session ID is stored in the cookie. The session data is stored on the server. Session data is stored by default in the /tmp directory on a typical Linux or BSD host. </p> <p>You need to be aware of cross-site scripting attacks and their use to commit session hijacking. An attack can be carried out against web sites that allow unfiltered HTML to be posted. The attacker places some JavaScript on the page that captures the session cookie from the user&#8217;s browser and fetches a 1 pixel image from a remote server. The script appends the cookie content (containing the session key) to the image URL. The attacker then retrieves the session ID from his logs and uses it to access your web site under the credentials of the hijacked session.</p> <p>Note that the attack I just described is not specific to PHP sessions!</p> <p>Frank</p> Fri, 12 Jan 2007 02:48:53 +0000 FrankR comment 1213351 at https://www.webmaster-forums.net