(I was looking some tips for php session security but in my total ignorance I miss lot of basic things. I'm doing a very basic web game without login but I need to store session)
If is safe store $_SESSION['logged_in'] = TRUE; ...
Is not safe, then, store userId in session_id like session_id(userId) when all players knows other users Id? If not, what is the diference?
分享
It is safe, not.
But it depends on the context. Of course, it has nothing to do with $_COOKIE['logged_in']=true, which, for sure, is unsafe.
But the following is unsafe too
session_id($user_id);
$_SESSION['logged_in']=true;
Because session_id will be stored in a cookie, and this way you can forge another user_id.
You have to remember that Session variables are stored on the server, and cookie in the browser. So if you consider your server as a self place, it is safe, as long as you can't forge your identification cookies to fake your session.
分享
