is it smart enough to use session id to identify user ?

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
Milan
Forum Commoner
Posts: 97
Joined: Wed May 17, 2006 6:08 pm

is it smart enough to use session id to identify user ?

Post by Milan »

is it smart enough to use session id to identify user when he wants to change his user details.

For example, if i read the username value from the cookie and then alow user to change data on his page can someone else put some username in a cookie on their machine and then modify other people's info?

I was thinking about storing the session info in the table and then to compare if username in the cookie matches the active session ID i have in the table?

what do you guys think?
bdlang
Forum Contributor
Posts: 395
Joined: Tue May 16, 2006 8:46 pm
Location: Ventura, CA US

Re: is it smart enough to use session id to identify user ?

Post by bdlang »

Milan wrote:is it smart enough to use session id to identify user when he wants to change his user details.
No. it is strongly recommended to have the user re-login to verify credentials and change / view any of their information. It is usually enough, however, to identify them from script -to- script when viewing the site.
For example, if i read the username value from the cookie and then alow user to change data on his page can someone else put some username in a cookie on their machine and then modify other people's info?
This is technically possible, yes. Maybe not very probable given certain situations but do you want to take the chance?
I was thinking about storing the session info in the table and then to compare if username in the cookie matches the active session ID i have in the table?
Again, this is fine for general identification, tracking the user on the site, etc.
Post Reply