Are sessions modifiable by the client/user?

Posted by Sev on Stack Overflow See other posts from Stack Overflow or by Sev
Published on 2010-05-27T23:37:38Z Indexed on 2010/05/27 23:41 UTC
Read the original article Hit count: 154

Filed under:
|
|

In my PHP Web-App I use sessions to store the user's data. For exmaple, if a user logs in, then an instance of the User class is generated and stored in a Session.

I have access levels associated with each user to determine their privileges.

Store the user in a session by:

$_SESSION['currentUser'] = new User($_POST['username']);

For example:

if($_SESSION['currentUser'] -> getAccessLevel() == 1)
{
  //allow administration functions
}

where getAccessLevel() is simply a get method in the User class that returns the _accesslevel member variable.

Is this secure? Or can the client somehow modify their access level through session manipulation of some sort?

© Stack Overflow or respective owner

Related posts about php

Related posts about security