Jezza Posted February 1, 2010 Share Posted February 1, 2010 Hey if i have a login system like it sets just say $_SESSION['user'] to their user ID would that be safe? I'm not sure if people can actually edit sessions on the client end. Link to comment https://forums.phpfreaks.com/topic/190551-session-security/ Share on other sites More sharing options...
GKWelding Posted February 1, 2010 Share Posted February 1, 2010 If the session data is saved as an unencrypted cookie then it is very easy to edit. If it's saved as an encrypted cookie or saved in a database then it is much more secure. However, please remember nothing is ever fool proof or completely safe. You have to take security on a per project basis. You need to make cracking your security protocols more effort that the data you hold is worth. For example, no point in using SSL certificates and https if the only thing your holding is food recipes. Link to comment https://forums.phpfreaks.com/topic/190551-session-security/#findComment-1005031 Share on other sites More sharing options...
Jezza Posted February 1, 2010 Author Share Posted February 1, 2010 Thanks but what I mean is, if i just say do this $_SESSION['allowedentry']="no"; would they be able to change that themselfs? I just need to know the simple question of that, cheers. Link to comment https://forums.phpfreaks.com/topic/190551-session-security/#findComment-1005032 Share on other sites More sharing options...
Mchl Posted February 1, 2010 Share Posted February 1, 2010 If the session data is saved as an unencrypted cookie... ...which it isn't. Only session's ID is stored on client's side. All session data is stored on server. Unless you overwrite default session handlers with something silly that is... Link to comment https://forums.phpfreaks.com/topic/190551-session-security/#findComment-1005035 Share on other sites More sharing options...
Jezza Posted February 1, 2010 Author Share Posted February 1, 2010 Phew, I should be safe then and the most they do I guess is remove a session which I don't care about at the moment, thanks for being simple hehe. Link to comment https://forums.phpfreaks.com/topic/190551-session-security/#findComment-1005042 Share on other sites More sharing options...
Mchl Posted February 1, 2010 Share Posted February 1, 2010 Don't worry. There are other means to exploit sessions. http://en.wikipedia.org/wiki/Session_fixation http://en.wikipedia.org/wiki/Session_poisoning ... Link to comment https://forums.phpfreaks.com/topic/190551-session-security/#findComment-1005051 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.