SESSIONS - Power

[jaymc]

Would you Put powerful data in a session as a means of authorisation..

 

 

For example, I have a script that queries the users username and see's if there member group is about 3

 

If it is I know they are a moderator

 

however, would be much easier to jsut have a session with the data moderator=yes inside it for example

 

Is there anyway that can be taken advantage of by a malicious user?

 

From what I know sessions are really secure as they are stored server side but would it be something you would try and avoid or is it something ok to go ahead with?

[roopurt18]

I tend to limit the amount of data in my sessions to the username / id and if they're logged in or not.  I don't think there's any extra security gained from this, but it allows me to only have to worry about updating information in one place.

 

Here's a hypothetical situation for you.  You have an admin user that is abusing their privileges.  The super-user logs in and demotes them to non-admin.  Now, if each page load is reading the user's status from the DB then they immediately lose their privileges.  If you have their role / status stored in a session then it won't take affect until they log out, which means they can continuously abuse their privileges even though the super-user has revoked them.

[jaymc]

Yeh I was just thinking that, unless I removed there session file from the server?

 

How can you locate a users session if I have root access. Any idea..

 

I suppose one why would be to put the session ID in there database row.. maybe an easier way?