Fog Juice Posted November 22, 2008 Share Posted November 22, 2008 I have a security question, is $_SESSION['insert value here'] saved on the server side or client side? Can a user ever edit or change a $_SESSION value? Can they ever see anyone elses $_SESSION value? So for example, say a user logs in with $_SESSION['userid'], can that user ever change the $_SESSION['userid'] value to someone elses id? Thanks in advance. Link to comment https://forums.phpfreaks.com/topic/133757-solved-is-_sessioninsertname-saved-server-side-or-client-side/ Share on other sites More sharing options...
MasterACE14 Posted November 22, 2008 Share Posted November 22, 2008 its server side, it can't be changed by playing with the URL or whatever. Link to comment https://forums.phpfreaks.com/topic/133757-solved-is-_sessioninsertname-saved-server-side-or-client-side/#findComment-696070 Share on other sites More sharing options...
Fog Juice Posted November 22, 2008 Author Share Posted November 22, 2008 its server side, it can't be changed by playing with the URL or whatever. so there is absolutely no way client side can change it? Not even through dirty/hacked up browsers that are used to try and maliciously change code of websites? Link to comment https://forums.phpfreaks.com/topic/133757-solved-is-_sessioninsertname-saved-server-side-or-client-side/#findComment-696072 Share on other sites More sharing options...
xtopolis Posted November 22, 2008 Share Posted November 22, 2008 Unless you allow it, it cannot be changed. -If you have a form that sets a variable of $_SESSION['insert..'] then it's possible they can overwrite it if you allow them to access the form improperly. -The same can be said if you check $_GET vars, etc. So unless you leave a hole, no they can't change it. However, if someone was to gain access to someone else's session, they would have their session values. Link to comment https://forums.phpfreaks.com/topic/133757-solved-is-_sessioninsertname-saved-server-side-or-client-side/#findComment-696073 Share on other sites More sharing options...
Fog Juice Posted November 22, 2008 Author Share Posted November 22, 2008 Unless you allow it, it cannot be changed. -If you have a form that sets a variable of $_SESSION['insert..'] then it's possible they can overwrite it if you allow them to access the form improperly. -The same can be said if you check $_GET vars, etc. So unless you leave a hole, no they can't change it. However, if someone was to gain access to someone else's session, they would have their session values. How could someone get access to someone else's session? Other than holes on the form/using get... I am using post btw. Link to comment https://forums.phpfreaks.com/topic/133757-solved-is-_sessioninsertname-saved-server-side-or-client-side/#findComment-696075 Share on other sites More sharing options...
MasterACE14 Posted November 22, 2008 Share Posted November 22, 2008 really the only way someone could access someone elses session, is if you store session info in a database as well. Even though even that would be unlikely they would be able to get a hold of the info. Link to comment https://forums.phpfreaks.com/topic/133757-solved-is-_sessioninsertname-saved-server-side-or-client-side/#findComment-696076 Share on other sites More sharing options...
xtopolis Posted November 22, 2008 Share Posted November 22, 2008 http://en.wikipedia.org/wiki/Session_hijacking Link to comment https://forums.phpfreaks.com/topic/133757-solved-is-_sessioninsertname-saved-server-side-or-client-side/#findComment-696078 Share on other sites More sharing options...
Fog Juice Posted November 22, 2008 Author Share Posted November 22, 2008 thank you everyone Link to comment https://forums.phpfreaks.com/topic/133757-solved-is-_sessioninsertname-saved-server-side-or-client-side/#findComment-696086 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.