Is Setting A $_SESSION Value That Is The Same As A GET Parameter A Security Risk - PHP?
Get the solution ↓↓↓I've seen a PHP security tutorial where it says never to accept $_SESSION identifiers from GET or POST variables due to session hijacking and fixation. It annoyingly doesn't go into any real detail on this though.
In an application I'm building I have a $_SESSION value that is the $username variable that is set when a user logs in. This value is taken from the database, but is later used in GET requests via URL parameters:
$_SESSION['username'] = $username;
Note: The $username and all other data is sanitized going into the database and escaped when being fetched from the database.
Is the above session name a real no-no? And if this is indeed bad practice should I be using the user id from the database or similar information that is never publicly displayed (e.g. in a url parameter)?
Using the $username variable is handy because I use it in url parameters as well via the $_SESSION value, an example of which is below:
<a href='<?php echo "profile.php?username={$_SESSION['username']}"; ?>'>My Profile</a>
When a user logs in the actual session id is regenerated withsession_regenerate_id(true);
so the id of each session changes each time the user is authenticated.
Any advice would be greatly appreciated.
Share solution ↓
Additional Information:
Link To Answer People are also looking for solutions of the problem: the requested url was not found on this server. xampp
Didn't find the answer?
Our community is visited by hundreds of web development professionals every day. Ask your question and get a quick answer for free.
Similar questions
Find the answer in similar questions on our website.
Write quick answer
Do you know the answer to this question? Write a quick response to it. With your help, we will make our community stronger.