Validating PHP User Sessions
Another simple way that sessions can be compromised is when users are using public computers. When using cookies, there is the potential that the cookie could be left on the computer after the user is finished, leaving an open door. Alternatively, if URL rewriting is used, a session could be compromised as simply as the subsequent user browsing through the history. If the user doesnt manually click logout or closes the browser thinking that it will automatically log him or her out there are a number of potential security risks when using URL rewriting, when the cookie has an expiration time instead of ending when the browser window closes, and--particularly--if the session doesnt timeout within a short amount of time.
All of the above is not to mention the more active hackers who either write programs that will continually try to brute-force their way into a system by trying random session identifiers, or someone who is able to gain access to network traffic and read any non-encrypted traffic--thereby potentially gaining access to all session data being passed to a site. I doubt that most websites will ever have to worry about these kinds of attacks unless they become a high profile site. Nonetheless, it is good to know the possibilities, which makes clear that some precautions need to be taken other than blindly accepting the session identifier, which will be discussed next.