Is it possible for the user to edit the session?

0

Well on my site I use SSL certificate, and in the session I store some access data. Is there any way for the user to change this data? Or is it safe for me?

    
asked by anonymous 16.02.2017 / 13:47

1 answer

1

PHP SESSION

The use of the $ _SESSION variable is very common and extremely widespread, very secure but has two points that can be "unsafe":

The first one is called " session fixation ". Basically, because the session ID is stored in a COOKIE , this same ID can be changed to that of another user. This is not a problem if the user receives an ID with each new Session, making it very difficult to find an Active ID in a Session to steal it ( hijacking .

The second point depends on the code. If your code exposes the secret information stored in $ _SESSION then it is insecure. If your code allows the user to change the values of this information, then it is unsafe. In addition if you store something in a $ _SESSION variable and the code never allows the user to view / edit this information, then it is safe to do so.

Free translation from here .

You can read more on this Discussion > (English) or even in the PHP Manual has a lot of information about Sessions and security.

    
16.02.2017 / 14:10