manix Posted August 8, 2011 Share Posted August 8, 2011 Hey, I need to know if $_SESSION variables are editable? Because when a user logs in his username is being set in $_SESSION['user'] and it's not coded in any way (by me) so if it is possible to edit a session variable a user can simply change it to the admin's name and do some nasty stuff. Link to comment https://forums.phpfreaks.com/topic/244201-a-ittle-info-about-sessions/ Share on other sites More sharing options...
the182guy Posted August 8, 2011 Share Posted August 8, 2011 They aren't editable by clients unless your code allows them to be, e.g. by a bug/vulnerability or a vulnerability in the web server for example in a shared hosting environment. If someone got their hands on the admin's session ID cookie then they may be able to peform a session hijack and login as the admin. Link to comment https://forums.phpfreaks.com/topic/244201-a-ittle-info-about-sessions/#findComment-1254150 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.