Hello all,
Just wanted to see if I am leaving open some security hole in a script I have! When the user logs in it creates a session based on the id field of the users table! For example .... my id is 10 so a session is created with based on that.
What I wanted to know is if I want a secure way to identify a genuine user based on their session then should I make this session more complicated by adding further details? Or even create multiple sessions?
I am currently checking the user against my sql table id against their session but thought that if someone created a session from another website with for example the number 10 then I wouldnt want them being able to access my members account whose ID number is 10!
Hope this makes sense and someone can clarify the best way around it
Thanks