Can someone clear a question about sessions up?

[JonnySnip3r]

Hey guys, just wanted to know because i was unsure. Are sessions secure, can they be manipulated client side? and are sessions safe to store a users permissions in?

 

Thanks guys

[BizLab]

Sessions are stored on the server in the directory (folder) defined when you run the session_save_path() function;

 

Create a page with only this, and you will be able to see the path:

 

<?php
echo '<h1>SESSION SAVE PATH: '.session_save_path().'</h1>';
?>

post the page on your server and access it from a browser.

 

To answer your question though, give your users a access level of some sort (eg: 1, 2, 3 , 4) and then apply permissions to those access levels in your code like

 

if($access_level >= 2){
  // do some level 2 and up stuff
}
else{
  // you do not have the permissions needed to do it
}

 

sessions are much more secure than cookies, but i don't recommend you use them for what you need. I would store the access level in a session.

 

$_SESSION['access_level'] = $access_level; // queried from your database

 

you can then use it on every page!

 

 

[mcdsoftware]

I agree that sessions are much more secure than using cookies, but you could make it even more secure by changing the save path to something custom (instead of the default /tmp) and also try to read up on session hijacking articles.

 

[JonnySnip3r]

Thank you both very much!!! you have helped me so much