I'm wondering how you could best protect sessions. I've searched a bit and find a lot of answers, but many of them are just too confusing.
How to prevent sessions from being hijacked? I've read a lot about "sessions tokens" you generate in a form, but really don't understand what their use is. How does this prevent session hijacking?
I know you don't save things like passwords in sessions, but what CAN you store in them safely? Permissions (like a session variabele which keeps track of the user level. Every time a page is opened, the session variabele is checked. It's it's not a certain number, you get an "access-denied" message displayed)? Or how do you handle this best?
Thank you!
See Question&Answers more detail:os