0
Good on my site I use SSL certificate, and in the session I store some access data. Is there any way for the user to change this data? Or the way I’m doing it is safe?
0
Good on my site I use SSL certificate, and in the session I store some access data. Is there any way for the user to change this data? Or the way I’m doing it is safe?
1
PHP SESSION
The use of the $_SESSION variable is very common and extremely widespread, very safe but has two points that can be "unsafe":
The first is called "Session fixation". Basically, how the session ID is stored in a COOKIE, this same ID can be changed to that of another user. This is not an issue if the user receives an ID each new Session, making it very difficult to find an active ID in a Session to steal it (Hijacking En).
The second point depends on the code. If your code exposes the secret information stored in $_SESSION then it is unsafe. If your code allows the user to change the values of this information, then it is insecure. In addition, if you store something in a $_SESSION variable and the code never allows the user to view/edit that information, then it is safe yes.
Free translation from here.
You can read more on this Discussion (English) or even on its own PHP Manual has a lot of information about Sessions and security.
Browser other questions tagged php
You are not signed in. Login or sign up in order to post.
well the code only queries the $_SESSION variable to check if the user has a certain privilege.
– Hugo Borges