0

I am creating a social/blogging platform and I have storing their User ID in a session so I will echo the ID out of the session onto the page.

Can a person edit the session the take an identify of another user?

Gino Mempin
  • 25,369
  • 29
  • 96
  • 135
frank
  • 307
  • 1
  • 4
  • 6

4 Answers4

2

It depends on the method of setting the $_SESSION variable you use - check this related question for a bit more clarification.

Community
  • 1
  • 1
Nightfirecat
  • 11,432
  • 6
  • 35
  • 51
1

A session is just a cookie with an identifier.

When I visit your site, you're webserver will create a session with the identifier XA7i9 for me (just an example) which my browser will store as a session cookie. Now, my browser is going to send XA7i9 with every request. When you store something inside $_SESSION, it will never leave your server.

However, if I tamper the session cookie and can guess your session identifier, say b8a76, your webserver might think I'm you. It depends on your implementation.

This question on Stackoverflow might be of interest you.

Community
  • 1
  • 1
middus
  • 9,103
  • 1
  • 31
  • 33
0

User can't edit your session variables if you do not allow him to do so.

He could stole SESSID of another user

Be aware of register_globals directive for PHP.ini

genesis
  • 50,477
  • 20
  • 96
  • 125
0

A user can intercept another user's session cookie value, change their own cookie to that user's, and take over their session. The only way to prevent this is to use SSL on your pages. This is the same reason that Facebook enabled users to select an 'always use HTTPS' option last year.

AndrewR
  • 6,668
  • 1
  • 24
  • 38