I want to check the user whether they have sign in or not, so I assign a hidden from field to store the session key, and I have a post method form to submit.
Can others/hackers, copy my session key from my field and send a post method to the server?? If yes, how can I do to avoid this?
Can others/hackers, copy my session key from my field and send a post method to the server??
Yes.
If you want to minimize the risk of credentials leaking, use encryption (SSL (HTTPS)).
Yes, copying and resending the key from somewhere else can be easily done.
The trick is to make certain the session key is only valid for a limited time and can not easily be deduced from other data in the form.
You might e.g. use a good encryption method to encode username, IP address and time into a session key. Decoding that key would allow you to verify user, system and time .. not entirely fool proof still ...
This will limit but not eliminate the risk
You should use a serverside language to check the session key. It'll be much safer.
There are a couple of problems with having it as a hidden value. 1) The user could save the form, then change the value and try to hijack another session 2) You could have a man in the middle situation where someones listening for the form to be submitted and then hijack there session...