Reputation: 1688
Are the $_SESSION variables accessible by the user?
I made a user authentification script for a password protected page.
In the first version of my script I started by checking if the user name and password matched the ones in the database and if yes, set a $_SESSION['user_connected'] variable as well as a $_COOKIE['user_connected'] variable to TRUE. My index.php file started by verifying if $_COOKIE['user_connected'] was set and then bypassed the database check if true.
I then realized cookies were accessible by the user and someone could simply set $_COOKIE['user_connected'] to TRUE before accessing the site and chaos would ensue. But what about the $_SESSION variables ? Can I securely use them to check throughout the website if the user is connected ?
tl;dr : Can users modify $_SESSION variables ?
Upvotes: 0
Views: 286
Answers (2)
Reputation: 943569
No.
They are stored on the server and only editable by scripts running on the server.
The user only gets a token that identifies which bundle of data is associated with them.
Upvotes: 8
Reputation: 4849
Possible duplicate: Is it possible for a malicious user to edit $_SESSION?
$_SESSION is server side, once it is set it cannot be changed (by the user)
Also, take a look at this question
Upvotes: 5
Related Questions
- Do I need to use session_start() every time I access the session variable?
- Where are $_SESSION variables stored?
- Is $_SESSION accessible on the client side?
- PHP Can a client ever set $_SESSION variables?
- PHP SESSION variables using $_SESSION
- is SESSION var in php are per user?
- Is it possible to access $_SESSION variables from other sessions?
- PHP $_SESSION Variables
- $_SESSION variables being controlled by PHP configuration?