Jezza Posted February 1, 2010 Share Posted February 1, 2010 Hey if i have a login system like it sets just say $_SESSION['user'] to their user ID would that be safe? I'm not sure if people can actually edit sessions on the client end. Quote Link to comment https://forums.phpfreaks.com/topic/190551-session-security/ Share on other sites More sharing options...
GKWelding Posted February 1, 2010 Share Posted February 1, 2010 If the session data is saved as an unencrypted cookie then it is very easy to edit. If it's saved as an encrypted cookie or saved in a database then it is much more secure. However, please remember nothing is ever fool proof or completely safe. You have to take security on a per project basis. You need to make cracking your security protocols more effort that the data you hold is worth. For example, no point in using SSL certificates and https if the only thing your holding is food recipes. Quote Link to comment https://forums.phpfreaks.com/topic/190551-session-security/#findComment-1005031 Share on other sites More sharing options...
Jezza Posted February 1, 2010 Author Share Posted February 1, 2010 Thanks but what I mean is, if i just say do this $_SESSION['allowedentry']="no"; would they be able to change that themselfs? I just need to know the simple question of that, cheers. Quote Link to comment https://forums.phpfreaks.com/topic/190551-session-security/#findComment-1005032 Share on other sites More sharing options...
Mchl Posted February 1, 2010 Share Posted February 1, 2010 If the session data is saved as an unencrypted cookie... ...which it isn't. Only session's ID is stored on client's side. All session data is stored on server. Unless you overwrite default session handlers with something silly that is... Quote Link to comment https://forums.phpfreaks.com/topic/190551-session-security/#findComment-1005035 Share on other sites More sharing options...
Jezza Posted February 1, 2010 Author Share Posted February 1, 2010 Phew, I should be safe then and the most they do I guess is remove a session which I don't care about at the moment, thanks for being simple hehe. Quote Link to comment https://forums.phpfreaks.com/topic/190551-session-security/#findComment-1005042 Share on other sites More sharing options...
Mchl Posted February 1, 2010 Share Posted February 1, 2010 Don't worry. There are other means to exploit sessions. http://en.wikipedia.org/wiki/Session_fixation http://en.wikipedia.org/wiki/Session_poisoning ... Quote Link to comment https://forums.phpfreaks.com/topic/190551-session-security/#findComment-1005051 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.