Jump to content

[SOLVED] Is $_SESSION['insertname'] saved server side or client side?

Fog Juice

By Fog Juice
in PHP Coding Help

Recommended Posts

Fog Juice Member

Fog Juice

Posted
Posted

I have a security question, is $_SESSION['insert value here'] saved on the server side or client side? Can a user ever edit or change a $_SESSION value? Can they ever see anyone elses $_SESSION value?

 

So for example, say a user logs in with $_SESSION['userid'], can that user ever change the $_SESSION['userid'] value to someone elses id?

 

Thanks in advance.

Fog Juice Member

Fog Juice

Posted
  • Author
Posted

its server side, it can't be changed by playing with the URL or whatever.

 

so there is absolutely no way client side can change it? Not even through dirty/hacked up browsers that are used to try and maliciously change code of websites?

xtopolis Member

xtopolis

Posted
Posted

Unless you allow it, it cannot be changed.

 

-If you have a form that sets a variable of $_SESSION['insert..'] then it's possible they can overwrite it if you allow them to access the form improperly.

-The same can be said if you check $_GET vars, etc.

 

So unless you leave a hole, no they can't change it.

 

 

However, if someone was to gain access to someone else's session, they would have their session values.

Fog Juice Member

Fog Juice

Posted
  • Author
Posted

Unless you allow it, it cannot be changed.

 

-If you have a form that sets a variable of $_SESSION['insert..'] then it's possible they can overwrite it if you allow them to access the form improperly.

-The same can be said if you check $_GET vars, etc.

 

So unless you leave a hole, no they can't change it.

 

 

However, if someone was to gain access to someone else's session, they would have their session values.

 

How could someone get access to someone else's session? Other than holes on the form/using get... I am using post btw.

MasterACE14 Advanced Member

MasterACE14

Posted
Posted

really the only way someone could access someone elses session, is if you store session info in a database as well. Even though even that would be unlikely they would be able to get a hold of the info.

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.