开发者

Another security question about Sessions

I'm trying to make login system. What I'm doing, When user logs in , I'm making Session['id'] and put there users id. Also I'm making so called salt security thing which is ok.

Now later on in some part of the site I check session['id'] go to database check if such id has high level of permission and grant that user with s开发者_C百科ome functions. Also I can check salt if the user is the same who logged in, avoiding hackers etc etc....

My question is the following. If the user makes new account . And logs in using his account the salt system for him will be ok so he will travel trough the site but his id will be a bit low so he will not get all functions. BUT! If user will understand that I'm checking his id to understand who is he, can he after logging in somehow give the server different session['id'] ? for example of user who's level is high, and receive all the bonuses ? . Because I made session

ini_set('session.use_only_cookies', true); 
session_start();

so probably all session data will be on his computer right ? So is it possible ?

SOLVED


The session id should be a completely random number.

So even if the user changes his session id to another one, it will be very unlikely that he can get to another valid session that way. It will almost always just log him out.

The data behind the session is only stored on your server.

Only the session id itself is given to the web browser.

ini_set('session.use_only_cookies', true);

The setting you mention just makes sure that the session id is only delivered via a cookie, not as part of the HTML or a URL.


use of $_SESSION is fine because the file with the actual data in it resides on the server, not the client's machine. The client only keeps a reference so PHP knows where to look in the session cookie on the server for the client's session data.


Only the session ID (normally PHPSESSID) cookie resides on the users machine, and is responsible for telling the server what session instance is being used. The data stored in $_SESSION are safe inside the server, and unless you manually send them to the client, nobody outside the server can see them.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜