Hello all, I have a quick theoretical question. How secure is the session object? Say, a user logs into my website. The password is verified, and his username is placed in the session object as a parameter/attribute. Are there any potential security holes if I use that parameter to determine who this user is for the rest of the site? We plan on having some rather important information on our Intranet, and managers will have access to all kinds of powerfull tools. I want to make sure that storing the username in the session object after authentication is the right way to do this. Thank you.
I claim this furniture in the name of The Ottoman Empire! You can keep this tiny ad: