PHP: Is it a security problem, if I take the $_SESSION['userid'] as an identifier?

Question

I have a login-system. When a user logs in the user data get stored in $_SESSION variables (id, username,...) like this (login.php):

$sql = 'SELECT * FROM users WHERE username = :username';
$statement = $con->prepare($sql);
$result = $statement->execute(array('username' => $username));
$userdata = $statement->fetch();
$hashedPassword = json_encode($userdata['password']);

//check password
if ($result && password_verify($password, $userdata['password'])) {
session_regenerate_id();
$_SESSION['loggedIn'] = true;
$_SESSION['username'] = $username;
$_SESSION['id'] = $userdata['id'];
echo $_SESSION['id'];
echo 'true';
} else {
exit('false');
}
}else{
    exit('false');
}

Now my question: Is it a security problem, when I use this data as trustworthy data, maybe like:

INSERT INTO userRelatedTable (userId,data1,data2) VALUES ($_SESSION['userid'] (<= !!!) ,'data1','data2')

In other words: Does php handle the security part when i say session_start(); with a sessionkey, or do i have to generate a key, store it and use it as an identifier by myself?

Greetings

Can I assume your question is: "Is session data secure?"? There is lots of information on that, even here, for instance: https://stackoverflow.com/questions/1181105/how-safe-are-php-session-variables but also in the manual: https://www.php.net/manual/en/features.session.security.management.php — KIKO Software, May 23 '20 at 07:40

score 0 · Answer 1 · answered May 23 '20 at 09:05

Client-side cannot directly alter $_SESSION as it is stored server-side. However, implementation may make it possible:

$_SESSION['username'] = $_POST['username']; // Now $_SESSION['username'] can be anything

$_SESSION['id'] cannot SQL-inject if id is an integer field in your database. But for consistency and to be on the safe side of things you may want to use prepared statements here as well.

PHP: Is it a security problem, if I take the $_SESSION['userid'] as an identifier?

1 Answers1