I save some important info in $_SESSION
, not in $_COOKIE
. So, my question, is it dangerous? Or is it protected from malicious users trying to edit it and I'm fine?
Thank you.
By the way, is it possible also to edit $_COOKIE
? I heard yes, but if yes, then how?
$_SESSION
is stored server-side. The best a hacker could do would be substitute another user's session for the existing session, but the hacker could not insert arbitrary data into $_SESSION
. $_COOKIE
is, however, stored client-side, so a hacker can insert arbitrary data into the cookie, by just editing the cookie.
By default, the $_SESSION
is already backed by a cookie with the name phpsessionid
(so that the server is able to identify the client and associate it with one of the sessions in server's memory). If a hacker knows the cookie value of someone else and copies it in its own cookie with the same name on the same domain/path, then the hacker has access to the same $_SESSION
. The cookie value is however long and random enough to minimize the risks the session being hijacked within half a hour (the default session timeout).
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With