0

I have a site with two areas. One is for Gold members and the other is for Silver members. I create two session variables when a user logs in; each area requires two session variables to access.

Gold: session-userId and session-gold

Silver: session-userId and session-silver

Is this secured? What if a hacker steals or changes the session-silver to session-gold? Then they could access the different area, couldn't they?

TRiG
  • 10,148
  • 7
  • 57
  • 107
chien pin wang
  • 559
  • 1
  • 4
  • 15
  • 1
    Session data is stored on the server. A user can't just change the session data willy nilly. See: http://stackoverflow.com/questions/2261716/can-php-sessions-be-manually-edited – Christian Apr 12 '13 at 15:25
  • 1
    This is a good read http://stackoverflow.com/questions/5121766/can-a-user-alter-the-value-of-session-in-php – Mr. Alien Apr 12 '13 at 15:25

2 Answers2

3

Someone can't just change php created sessions like the can cookies. think about it, cookies are handed to their machines, sessions are stored on the server and lost on disconnection. You should be sure though to sanitize all input, or your session starts can be manipulated

Nick
  • 213
  • 1
  • 5
  • 13
0

Security from hackers is a much, MUCH broader area to cover, and it can be very tricky. You should ALWAYS assume that an hacker can break your code and gain access.

Thus said, I'd use a database rather than sessions to determine user privileges, and I'd not use plain session values but encrypted ones. Maybe you can do something like this:

$_SESSION['user_level'] = sha1($userId . "session-silver");

and then compare the proper hash every time you need so. Remember that security through obscurity isn't a safe approach, because an hacker may be able to steal your source code.

DISCLAIMER: this suggestion isn't intended to be bomb-proof but as a small, easy improvement to current code without being too complex to implement quickly

STT LCU
  • 4,348
  • 4
  • 29
  • 47