hi there,
I bumped into the use of session_set_cookie_param() and was thinking about how to limit access for undesired users.
Besides lifetime, I thought it would be effective to set the domain param.
But how effective is this in real? Isn't it also possible to spoof domain names. (as a lot can be crafted ).
is there any evidence this can be done and if so how to avoid it? Like cloaking domains or so or is that exaggerating and time consuming?