Well on my site I use SSL certificate, and in the session I store some access data. Is there any way for the user to change this data? Or is it safe for me?
Well on my site I use SSL certificate, and in the session I store some access data. Is there any way for the user to change this data? Or is it safe for me?
PHP SESSION
The use of the $ _SESSION variable is very common and extremely widespread, very secure but has two points that can be "unsafe":
The first one is called " session fixation ". Basically, because the session ID is stored in a COOKIE , this same ID can be changed to that of another user. This is not a problem if the user receives an ID with each new Session, making it very difficult to find an Active ID in a Session to steal it ( hijacking .
The second point depends on the code. If your code exposes the secret information stored in $ _SESSION then it is insecure. If your code allows the user to change the values of this information, then it is unsafe. In addition if you store something in a $ _SESSION variable and the code never allows the user to view / edit this information, then it is safe to do so.
Free translation from here .
You can read more on this Discussion > (English) or even in the PHP Manual has a lot of information about Sessions and security.