DeX Posted November 17, 2013 Share Posted November 17, 2013 I'd like to display a user profile for the currently logged in user so they can edit their contact details. I already have a secure login scripted which works well and it stores the user_id, username and a login_string into session variables. The login_string is a long alphanumeric string of hashed values used when checking the logged in status of the user but it's not stored in the database. My concern is if I pass the user_id from the session variable to the model to get the user contact information, the user can easily change that variable in order to display someone else's information. So should I continuously hash the same variables to compare the login_function or should I just store it in the database once the user logs in so that's it's readily available to do a comparison on any time I need database information. Does that make sense? Quote Link to comment Share on other sites More sharing options...
requinix Posted November 17, 2013 Share Posted November 17, 2013 As long as you don't expose to the user the ID you're using to find profile information, which you shouldn't do anyways because you're displaying the currently-logged in user regardless, then it's fine. Quote Link to comment Share on other sites More sharing options...
DeX Posted November 17, 2013 Author Share Posted November 17, 2013 How do I keep track of the currently logged in user if I don't store the ID in a session variable? If it's in a session variable then the user is free to change it as they wish. Quote Link to comment Share on other sites More sharing options...
mac_gyver Posted November 17, 2013 Share Posted November 17, 2013 how could a user set a session variable? that's completely under the control of your code. Quote Link to comment Share on other sites More sharing options...
DeX Posted November 17, 2013 Author Share Posted November 17, 2013 Session hijacking and poisoning? Is that something I should worry about? Quote Link to comment Share on other sites More sharing options...
MDCode Posted November 17, 2013 Share Posted November 17, 2013 The only thing a user can do is change their session id cookie to acquire another user's session. The actual session data is private and stored on the server. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.