Are sessions modifiable by the client/user?
Posted
by Sev
on Stack Overflow
See other posts from Stack Overflow
or by Sev
Published on 2010-05-27T23:37:38Z
Indexed on
2010/05/27
23:41 UTC
Read the original article
Hit count: 154
In my PHP Web-App I use sessions to store the user's data. For exmaple, if a user logs in, then an instance of the User class is generated and stored in a Session.
I have access levels associated with each user to determine their privileges.
Store the user in a session by:
$_SESSION['currentUser'] = new User($_POST['username']);
For example:
if($_SESSION['currentUser'] -> getAccessLevel() == 1)
{
//allow administration functions
}
where getAccessLevel() is simply a get method in the User class that returns the _accesslevel member variable.
Is this secure? Or can the client somehow modify their access level through session manipulation of some sort?
© Stack Overflow or respective owner