Menu
this is crossing my mind and I'm wondering if it is possible, how secure can it be to store info in the $_SESSION variable of PHP?
981
A user cannot modify PHP sessions on the server. They can only forge a legitimate cookie and masquerade as a logged-in user - but that will require them to steal a valid cookie in the first place.
You need to call session_start before you check if $_SESSION['can'] has a value. You also do not need to destroy and create a new session just to change a value. <? php session_start(); if (isset($_SESSION['can'])) { $_SESSION['can'] = 2; } else { $_SESSION['can'] = 1; } header('Location: '.
Session variables can be accessed on the client side. For example you could check the value by calling: alert('<%=Session["RegisterId"] %>'); Anything between the "<%" and "%>" runs at the server so it will evaluate the current value of the session.
Cookies are in control of the user. Anyone can add, delete, or alter the value of any cookie.
Storing variables in the $_SESSION variable has two potentials for "insecurity".
112
PHP Session's work by storing a PHPSESSID cookie on the end user's computer that acts as an access key for server-based session information. That cookie value is a hashed string (the security of which depends on your PHP settings) that is used to link the particular browser to the specific session values you set.
That string looks something like b420803490a9f0fe8d6a80657fec3160. So, the end user could alter that string, but then their session will become invalid, since it almost certainly won't match one that's being stored by PHP, and they won't have access to data.
There is a risk, as others have mentioned, that someone's PHPSESSID become exposed, and people use that to hijack someone else's session.
45
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
