I'm creating a dashboard where I have the front end on one subdomain and the api which is in php on another subdomain. I was looking for how to preserve $_SESSION between the two and found this. So what I'm inquiring about is since cookies are stored on the users machine and I'm sending the user id to the api, would they be able to manipulate this value and browse the app as a different user assuming I use session_set_cookie_params(). So I would be using $_SESSION in the api but this native function makes me think they'd be able to change the value.
Asked
Active
Viewed 33 times
0
Dan185
- 356
- 3
- 12
-
1A cookie is just a string placed in some HTTP header (different in both directions).Of course a client can contact a server putting whatever it wants as a cookie. It is up to the server to make sure that the value make sense, either by storing somewhere all possible current cookie values (like session ones in a DB or storage),sign them (so that any change/arbitrary data by client would get noticed and the cookie be discarded) or even crypt them. Often, a long enough random value stored on the server side is enough, as clients would not be able to find out other possible values (no correlation) – Patrick Mevzek Aug 02 '19 at 22:05
-
Okay so for instance, if I had a login form and the user fills it out, it makes a request to the api, if the credentials match, and the session hasn't already been started I use `session_set_cookie_params()` along with `session_start()` just that one time and place the user id which is an integer in `$_SESSION` is there any danger in this? – Dan185 Aug 03 '19 at 00:29
1 Answers
0
I don't believe this method I've alluded to is of any danger (knock on wood) but I'm just going to go for the /api/ subfolder structure anyways at this point as having a separate endpoint seems to make things too spread out.
Dan185
- 356
- 3
- 12