开发者

Are sessions modifiable by the client/user?

问答 作者:

In my PHP Web-App I use sessions to store the user's data. For exmaple, if a user logs in, then an instance of the User class is generated and stored 开发者_如何转开发in a Session.

I have access levels associated with each user to determine their privileges.

Store the user in a session by: 

$_SESSION['currentUser'] = new User($_POST['username']);

For example:

if($_SESSION['currentUser'] -> getAccessLevel() == 1)
{
  //allow administration functions
}

where getAccessLevel() is simply a get method in the User class that returns the _accesslevel member variable.

Is this secure? Or can the client somehow modify their access level through session manipulation of some sort?

No, the client cannot modify their access level. The only thing stored on the client is the session key which is either propagated via cookie or GET parameter. The session key ties to a corresponding session record which is a file stored on the server side (usually in a temp directory) which contains the 'punch'. What you don't want, is for a session key to get leaked to a third party:

A leaked session id enables the third party to access all resources which are associated with a specific id.

Take a look at this: http://www.php.net/manual/en/session.security.php

The session information is stored on the server and the user only has access to a key. In practice I have used something of this sort, with extra steps. After validating the user details and storing the User object, I would have a query that is run when viewing any of your protected pages to validate what is in the session is okay with what they're trying to view. In the top of your page.php

if(!validUser($user)){ 
   // Relocate the user
}

where

validUser(User $user)
{
   // Some query to verify the information in the session
   // Return the results of verification
}

I thought the only way for the user to manipulate something like that was if it was stored in a cookie on the users computer.

Is the getaccesslevel stored to a cookie or is it called from the server only after checking the login cookie and not stored on the users computer?

I would assume that if it is called on the server only after the user is logged in then they would not be able to easily manipulate that other than through other means of security holes.

Just my guess tho, im not that great with security myself yet. I will keep an eye on this to see what others have to say and maybe I can learn something.

继续阅读:phpsecuritysession

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9