Is it possible to "pirate" a session variable (I do not want to know how)

Question

I am currently doing a website in php, we are using a Session variable to store the permission level of each user.

For example, if any one of you would go on the website, you would automatically get a session variable with a value of "member".

What I am asking is: Is it possible for an attacker to go on the website and modify the value of the session variable for "admin" instead of "member"

I am not asking how, just if it is possible, and if so what kind of special access would the attacker would need (ex: access to the code, ....)

I have an alternative solution, which would be to replace the permission value with a token that would expire over time.

The second solution is way longer to implement.

Thanks for your help!

Answer 1

No, unless:

• The attacker had access to the storage of the session variables (usually the filesystem of the server, but could also be e.g. a database)
• The attacker intercepted a session cookie of a more privileged user.
• The attacker successful fixated the session of a more privileged user (see session fixation attacks).

Answer 2

From what you've described I assume you aren't storing the permission in a cookie. Therefore, the only way they could get access would be to guess/brute force an administrators session id or use some cross-site scripting attack. If your session id's are sufficiently long the first method would be very hard to accomplish.