SitePoint Sponsor

User Tag List

Results 1 to 2 of 2
  1. #1
    masquerading Nick's Avatar
    Join Date
    Jun 2003
    East Coast
    0 Post(s)
    0 Thread(s)

    Ability to alter session variables

    Currently the user authentication system I've written from my PHP CMS handles keeping track of users through session variables. The user will login, and if the username and password match, a session var (let's call it $_SESSION['logged_in']) is set to true. Then I have various permission functions that check the value of said variable and either grant or deny access to parts of the site.

    However, it seems to me that I remember a feature/plugin for firefox that allowed any ol' user to add/view/modify cookie and session variables, which would of course pose the problem of a curious user being able to grant him or herself access falsely to restricted portions of my site. My other option is to query the db before every action to get the user's permission level instead of storing it over a session.

    Any thoughts on this?
    Nick . all that we see or seem, is but a dream within a dream
    Show someone you care, send them a virtual flower.
    Good deals on men's watches

  2. #2
    SitePoint Addict Mal Curtis's Avatar
    Join Date
    Jul 2009
    New Zealand
    14 Post(s)
    0 Thread(s)
    The session data itself is stored on the server, and is not accessible to the user.

    What the user gets is a cookie which has the session id which is a reference to which session data the server should be using.

    The main issue with security is that if someone steals their cookies then they can get that session information.

    A good thing to do is store a 'fingerprint' of their user agent and any other unique bits of information about that user in the session. On each page check the fingerprint matches, and if it does not - destroy the session.


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts