I am trying to understand sessions in php. As far as I understand in a basic login system the sessions work like this: On a page exampledomain.com/login.php:
if (password_verify($_POST['user_password'], $result->password_hash)) {
//write user data into PHP SESSION
$_SESSION['user_name'] = $_POST['user_name'];
}
Then on the pages that only logged in users can view I check:
if (isset($_SESSION['user_name'])) {
//do something
}
Now what I don't understand is what if a hacker on his own servers (hackerdomain.com) does something like this assuming he knows a username:
session_start();
$_SESSION['user_name'] = 'Test';
<form method="post" action="exampledomain.com/page-only-logged-in-users-can-view.php" name="loginform">
<input type="submit" name="login" value="Login" />
</form>
Now he set a value in $_SESSION['user_name'] so he will be logged in wihtout even needing a password. I got very confused about this session thing. I read php documentation but I still don't get it.
A session in the end is a cookie that a server send to the browser. This cookie is special and has some properties like:
More info at https://developer.mozilla.org/es/docs/Web/HTTP/Cookies