7

How should I host the id of the user on the session? just to insert the id? I mean (for example):

$_SESSION['id'] = 1;

There isn't a way to change it by the user himself (as cookie..)? Because if so, he can change to any id.

One more question about it - how can I check if user is logged in (with sessions)? I created a session:

$_SESSION['is_logged_in'] = true;

Again, can't the user just create a session which his name is 'is_logged_in' and his value is true? or just the server has a control about the value of the server?

Jared Farrish
  • 48,585
  • 17
  • 95
  • 104
Luis
  • 3,257
  • 13
  • 50
  • 59
  • 4
    see: [PHP Session Fixation / Hijacking](http://stackoverflow.com/questions/5081025/php-session-fixation-hijacking#5081453) –  Sep 30 '11 at 21:26
  • 1
    The way it's supposed to work is the SESSION is controlled and created by the server only. So no, the user should not be able to *create a session which his name is 'is_logged_in'* and it affect the session in the way you describe, unless your SESSION methodology is seriously flawed. – Jared Farrish Sep 30 '11 at 21:27
  • 1
    The values in `$_SESSION` are stored exclusively serverside. The user receives only a PHPSESSID cookie containing their session id. PHP uses this to look up data in the session store. – Frank Farmer Sep 30 '11 at 21:31

1 Answers1

14

All session variables in PHP are stored server side. The client stores a cookie that references which session should be used, and then the server looks up the values for the session. It is safe to store is_logged_in in your session as well as the user id.

What you should be aware of is if another user gets a hold of another user's session cookie, they will be able to imitate that user until the session times out. One simple solution is to link sessions to IPs.

xthexder
  • 1,555
  • 10
  • 22
  • 1
    Check @Charles [answer](https://security.stackexchange.com/questions/14093/why-is-passing-the-session-id-as-url-parameter-insecure#14094). "locking a session to an IP address may accidentally alienate people. " – another Aug 24 '17 at 11:53
  • 1
    I must say that I have used this method before as well, in conjunction with the user-agent. Problem with IP addresses is that mobile users on the go will/can experience regular logouts. – Rick Apr 04 '20 at 01:56