I'm not exactly sure how the $_SESSION
work in PHP. I assume it is a cookie on the browser matched up with an unique key on the server. Is it possible to fake that and by pass logins that only uses sessions to identify the user.
If $_SESSION
doesn't work like that, can someone potentially fake cookies and bypass logins?