Menu
I am wondering what the risks are of storing the userid in a session?
then simply doing a
if(isset($_SESSION['user_id'])){
login_user($_SESSION['user_id]);
}
Are sessions encrypted enough that we wont have to worry about hashing them? What are the chances of someone being able to change their ID?
467
Before getting a session id you need to start a session and that is done by using: session_start() function. Now that you have started a session you can get a session id by using: session_id().
Session variables are stored in associative array called $_SESSION[]. These variables can be accessed during lifetime of a session. The following example starts a session then register a variable called counter that is incremented each time the page is visited during the session.
PHPSESSID – The PHPSESSID cookie is native to PHP and enables websites to store serialised state data. It is used to establish a user session and to pass state data via a temporary cookie, which is commonly referred to as a session cookie. (
Start a PHP Session A session is started with the session_start() function. Session variables are set with the PHP global variable: $_SESSION.
The session is by default stored in /tmp as a file. It is not viewable by the end user unless you have security issues such as directory traversal vulnerabilities.
The only portion the client sees is the unique hash stored in a cookie which maps to the relevant session on the server.
107
Most applications use $_SESSION as you are. If there where a wide spread weakness then major projects would be doing things differently.
20
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
