Faking sessions

[Ikerepc]

Hi...

I wanna know is there a way for user to fake session?

I couldn't find that out...

What I'm asking is - When user logs in my site with his username and password it stores his id in session. And permissions and everything is "going out" of that session variable... That's first thing program checks to see if user is logged in and which one.

For cookies I'm using hash and salt, but I wanna know how to protect sessions as if it's possible to fake it, I need to secure it.

When user is logged, session uid has his user id. If someone could only change that id in session variable he could be an admin...

[gw1500se]

No. Session information is stored on the server. The only thing transferred between the client and server is the sesssion ID.

[ginerjm]

Another thing you could do (OTW here) is create a  random "value" to store in that uid that is NOT a true user id or anything resembling an important value.  Then use that token to do a lookup on a table setup to just store login data and if you find that token value you will have whatever info you need - such as the true user's id.  This way - nobody can alter the session value (good luck with that) to another value that could cause you harm since they are all random and not viewable at all by the hacker.  This is an awful lot of work to do for something that is pretty darn safe as it is, but if you think that your appl/data is THAT super-sensitive, then go for it!

Rather than read the articles that express fear about the safety of Session data, why not find the ones that tell you how sessions really work and how safe they can be?