Is Php session data secure?

Question

Let's assume some validated data gets passed from one PHP page to another using session parameters.

How can I be sure on the second php page, this session data is still the data I validated on the first php page? From what I understand the session data is stored in cookies on the users computer. So what stops the users from injecting corrupted data into that sessions cookie?

Because in my scenario I need to rely on the fact, that the data passed to the second page is already validated.

So the main question is how do I pass validated data securely from one page to another ?

Many thanks in advance, Flo

Answer 1

The session data itself is stored server side. The only thing that is stored on the client's computer is a cookie with a unique identifier so the server knows which session to load at the server side.

Users cannot manipulate the data stored in the session itself, so in that sense, sessions are secure.

Then of course, the cookie itself could be stolen from a user and used by another user (a practice called 'session hijacking'). You can protect your users from this by for example locking a session to their IP-address, browser version, etc and using HTTPS to shield them from people sniffing connections.