Can user change $_SESSION var?

Discussion in 'PHP' started by Tony Brar, Nov 15, 2012.

0
  1. #1
    Hello Digital Point,

    I wanted to know, can a user change a session variable?
    I need to know so that I don't create errors and put unescaped info in the db.

    Thanks,
    -Tony
     
    Solved! View solution.
    Tony Brar, Nov 15, 2012 IP
  2. EricBruggema

    EricBruggema Well-Known Member

    Messages:
    1,740
    Likes Received:
    28
    Best Answers:
    13
    Trophy Points:
    175
    #2
    EricBruggema, Nov 16, 2012 IP
  3. Tony Brar

    Tony Brar Active Member

    Messages:
    220
    Likes Received:
    2
    Best Answers:
    0
    Trophy Points:
    75
    #3
    I mean can a user change something stored in their session?
    Like their username, for example. ($_SESSION['username'])

    -Tony
     
    Tony Brar, Nov 16, 2012 IP
  4. #4
    When you use PHP Sessions an HTTP COOKIE is created on the visitors computer storing an ID. That ID is used to fetch the data on the server in the /tmp directory. Can a visitor modify their cookies? Yes, because it's stored on their computer. Can a visitor change the corresponding data on the server? No, because it's stored on a remote computer.

    The only thing they can do is change the session id to one which is invalid.
     
    NetStar, Nov 16, 2012 IP
  5. Tony Brar

    Tony Brar Active Member

    Messages:
    220
    Likes Received:
    2
    Best Answers:
    0
    Trophy Points:
    75
    #5
    That's what I wanted to know.

    Thanks,
    -Tony
     
    Tony Brar, Nov 16, 2012 IP