Can a user alter the value of $_SESSION in PHP?

by

Storing variables in the $_SESSION variable has two potentials for “insecurity”.

  • The first as described by the other answer is called “session fixation”. The idea here is that since the session ID is stored in a cookie, the ID can be changed to that of another user’s. This is not a problem if a user gets a new ID every single session therefore making it very difficult to find an ID of a currently working session and hijack it.
  • The second depends entirely on your code. If your code leaks the values of the secret information you store in $_SESSION then it is insecure. If your code allows the user to control the values of that information it is insecure. Otherwise if something is in the $_SESSION variable and your code never allows the user to see it or write to it then it is secure.

More Related Contents:

  1. Parse error: syntax error, unexpected T_STRING in C:\wamp\www\b_php\project\login_save.php on line 14 [closed]
  2. How to change the session timeout in PHP?
  3. Allow php sessions to carry over to subdomains
  4. Check if PHP session has already started
  5. How to use store and use session variables across pages?
  6. Understanding the “post/redirect/get” pattern
  7. Where to put password_verify in login script?
  8. PHP session without cookies
  9. PHP Session timeout
  10. Is possible to keep session even after the browser is closed?
  11. Why is PHP session_destroy() not working?
  12. When and why I should use session_regenerate_id()?
  13. Passing multiple variables to another page in url
  14. Destroy PHP Session on closing
  15. How to set lifetime of session
  16. How to tell if a session is active? [duplicate]
  17. Set Session variable using javascript in PHP
  18. Find Number of Open Sessions
  19. How to destroy the session cookie correctly with PHP?
  20. How to set session timeout in Laravel?
  21. What is the difference between session_unset() and session_destroy() in PHP?
  22. Cookies vs. sessions in PHP
  23. Laravel 5 Session Lifetime
  24. PHP session IDs — how are they generated? [duplicate]
  25. PHP Session ID changing on every request
  26. Same domain, different folder PHP session
  27. Reopening a session in PHP
  28. Extending session timeout in PHP via the .htaccess
  29. saving checkbox state on reload
  30. Issues with PHP 5.3 and sessions folder

Leave a Comment