Array Security $ _SESSION

Question

Array Security $ _SESSION

When a low privilege user is not logged into my web application, I store the following data in an array $_SESSION:

$_SESSION = array(
    'user_id'     => 2343,  // whatever their user_id number is from the DB
    'allow_admin' => false, // don't give them access to admin tools
    'allow_edit'  => false, // don't let them edit stuff
    );

Is there a way that they could manipulate the array $_SESSIONto give them administrator or editing access, other than editing session files in somehow /tmp? (The above code is the only place where these elements are added to $_SESSION)

+5

security php session

too much php Aug 26 '09 at 9:55

source share

6 answers

, javascript cookie , https cookie https.

session.cookie_secure , cookie . . PHP 4.0.4. . session_get_cookie_params() session_set_cookie_params().

session.cookie_httponly cookie HTTP. , cookie , JavaScript. XSS ( ).

, - , () . , x , , .

, .

+4

OIS 26 . '09 10:14

. , , . . , php-, user_id $_POST $_GET.

Client

someones session_id. . .

. . , . . - , $_SESSION HTML- . , . , , . , , , .

.

+3

MrHus 26 . '09 10:35

script, , . . , , cookie , URL-, .

+2

RaYell 26 . '09 9:59

, - (, - / $_SESSION).

+1

Richy B. 26 . '09 9:58

As far as I know, no, if the user does not guess your session ID and does not replace it in their cookies. You should add extra IP address checking, at least on the server side, to prevent this.

+1

Deniss kozlovs Aug 26 '09 at 9:58

source share

Paul Dixon · Accepted Answer · 2009-08-26T09:59:27+0000

The contents of the session are visible and can only be changed on the server side.

"" , .

, , , , .

- , .

:

PHP

Array Security $ _SESSION

Client

More articles: