Well on my site I use SSL certificate, and in the session I store some access data. Is there any way for the user to change this data? Or is it safe for me?
Is it possible for the user to edit the session?
0
asked by anonymous 16.02.2017 / 13:47
1 answer
1
PHP SESSION
The use of the $ _SESSION variable is very common and extremely widespread, very secure but has two points that can be "unsafe":
The first one is called " session fixation ". Basically, because the session ID is stored in a COOKIE , this same ID can be changed to that of another user. This is not a problem if the user receives an ID with each new Session, making it very difficult to find an Active ID in a Session to steal it ( hijacking .
The second point depends on the code. If your code exposes the secret information stored in $ _SESSION then it is insecure. If your code allows the user to change the values of this information, then it is unsafe. In addition if you store something in a $ _SESSION variable and the code never allows the user to view / edit this information, then it is safe to do so.
Free translation from here .
You can read more on this Discussion > (English) or even in the PHP Manual has a lot of information about Sessions and security.
16.02.2017 / 14:10