No, especially if you forget to send the cookie as a secure cookie, which is
a massive security hole that many developers forget about. HTTPS is meant
for encrypting data to and from the server. Session data is just that, data.
If you hijack a session you then become the user that the session should
belong to. That means that you can see the things that only they should see
and do the things that only they should do. You can still do that under
HTTPS and still be hijacking someone's stuff.
On Thu, Nov 27, 2008 at 9:13 AM, Edgar da Silva (Fly2k) <
Running your application under https isn't enough to protect the
Yes, mostly. Session data is stored in serialized fashion in a plain text
file on the server. The access to that file is granted based on session
which is set as a cookie on the client machine. The client needs to, in
effect, tell the server which session to use, which is how sessions can
On Thu, Nov 27, 2008 at 8:49 AM, E. Fransiscus <efra...@gmail.com>
Doesn't session works on server side ?
Robert A. Gonzalez
Edgar Ferreira da Silva
Engenheiro de Software
Campinas - SP
This group is managed and maintained by the development staff at 360 PSG. An enterprise application development company utilizing open-source technologies for todays small-to-medium size businesses.
You received this message because you are subscribed to the Google Groups "Professional PHP Developers" group.
To post to this group, send email to Prof...@googlegroups.com
To unsubscribe from this group, send email to Prof...@googlegroups.com
For more options, visit this group at http://groups.google.com/group/Professional-PHP