changing data in the $_SESSION variable

views:

answers:

changing data in the $_SESSION variable

Hi .

Currently I have a class in the constructor stores variables in $_SESSION.

I was told not to store the user_id in $_SESSION, because then a user could change the ID to a one of his liking, and then access the website freely from any account. Instead, I've stored a session_id and created a table that has links a session_id to a user_id.

My question is - how difficult is it to manipulate this data? I also have a store system on my project, and I realized that I wouldn't be able to store things like the store's owner ID in a $_SESSION variable. This would lead to me querying the database every page, at least, to get the data.

How insecure is it to store this type of information in $_SESSION? Does anyone have a better solution?

+8 A:

Whoever told you that is wrong; the user cannot change the data that you store in the $_SESSION array. What the user could edit is the cookie that is set with the sessionid so that PHP can recognize that user. They can't really realistically change it to another user's sessionid, though. The only danger that you run is if someone somehow gets a hold of the user's sessionid cookie in which case they can pose as the logged in user to your website, but there's not much you can do about that besides some IP checking.

Paolo Bergantino 2009-06-11 11:24:29

why would I even have to use a cookie? why can't i always use $_SESSION?

daniel 2009-06-11 11:36:46

The cookie is how PHP knows which session to load

Greg 2009-06-11 11:38:09

oh, i see. your talking about the cookie that PHP automatically creates when I invoke $_SESSION, correct? not something that I have to do?

daniel 2009-06-11 11:40:50

Yup. That's the one.

Paolo Bergantino 2009-06-11 11:41:23

The wrong previous answer (http://stackoverflow.com/questions/964071/correct-way-to-manage-sessions-in-php#964129) has loads of upvotes, which is somewhat frustrating

Tom Haigh 2009-06-11 13:22:53

Yeah, I found it ridiculous that that answer was marked as correct and received that many upvotes.

linead 2009-06-11 13:46:37

+2 A:

Whoever told you that was wrong.

The session data is stored on the server - it can only be altered by someone who as access to the server, or if someone is able to call a script that alters session data, and given that the only scripts that they can call are the pages of your site you can control this (as long as you take steps to ensure there are no flaws in your code).

Visage 2009-06-11 11:25:15

+1 A:

Session data is being stored by web server in temporary files(by default) or DB or somewhere else (you can configure it). So end-user can't change anything in your $_SESSION data if you don't give him FTP/SSH access to your server. The only thing he can change is session ID in request, but there's nothing insecure in this case. Well, hope your "advisor" will read more about HTTP-sessions and how do they work.

Jet 2009-06-11 11:41:07

ansaurus

tags:

views:

answers:

changing data in the $_SESSION variable

related questions