Can a user change a PHP session?

Question

Can a user change a PHP session?

page1.php:

<?php session_start(); if ($_POST['password'] == "testpass") $_SESSION['authenticated'] = true; ?>

page2.php

 <?php session_start(); if (isset($_SESSION['authenticated']) && $_SESSION['authenticated'] == true) { echo "Super secret stuff!"; } ?>

Can a user log in without a secure password?

+7

php

Bronzebyte Dec 29 '11 at 12:32

source share

3 answers

A session can only be modified from within PHP code, unlike $_POST, $_GET, $_COOKIE , etc.

As an aside, I think you can use empty() to simplify your conditional:

 <?php session_start(); if (!empty($_SESSION['authenticated']) { echo "Super secret stuff!"; } ?>

+1

James c Dec 29 '11 at 12:37

source share

A session can be changed in different cases .. See this → Session Poisoning

+1

Atanas Atanasov Jun 11 '13 at 9:04

source share

Sjoerd · Accepted Answer · 2011-12-29T12:37:26+0000

Not. The data in the $ _SESSION variable is stored on a server inaccessible to the user.

The session is connected to the user through a cookie. A cookie with an identifier (i.e., a long random string) is sent to the user to identify the user and link to his session. If someone else accesses this cookie, he can use the same code to pretend that he is a user, and thus he can log in without a password.

Can a user change a PHP session?

More articles: