Is there any scenario where a client/user/hacker can set $_SESSION
variables themselves (excluding malicious software running on a server computer. I mostly mean via the browser)?
The reason I ask is because of this question that I asked a few days ago. Since then I have become pretty confused on the subject, but I've got a better idea of session fixation and hijacking.
To put it as simply as possible, if I validate every page with something like isset($_SESSION['validated'])
, is it secure?