Is it possible to change a $_SESSION variable client-side? [duplicate]

This question already has answers here: 开发者_如何转开发 Closed 11 years ago.

Possible Duplicate:

PHP Can a client ever set $_SESSION variables?

What I'd like to know, is whether a PHP $_SESSION variable can be changed on the client-side. If, for example, I do $_SESSION['username'] = $username; Can someone somehow change the value of my $_SESSION['username'] variable?

---

The contents of the SESSION superglobal cannot be changed. This lives on the server and the client has no way to access this.

However, a session id is passed to the client so that when the client contacts the server the server knows which session to use. This value could be changed (See Calums answer for preventing this See http://php.net/manual/en/session.security.php for information). Which would allow a user to use someone elses session (but not change the value of the session).

---

PHP is a server-side programming language and the $_SESSION superglobal is only directly accessible on the server. With 'normal' php sessions, the data contained in the SESSON superglobal is passed back and forth between the browser and the server in a cookie. So technically, it is possible to modify the session with Javascript in a web browser by modifying the cookie.

But please note, any attempt to do anything like this is probably a terrible idea and there's most likely a far more simple way to accomplish whatever you're trying to do.

Edit: This question I asked may be of use to you Codeigniter/PHP sessions security question

---

Not exactly, but you can simulate it with AJAX. Just write a php file that changes the value, and then call it from AJAX, just to execute it and change that value.

Hope this helps you.