Page 1 of 1

is it smart enough to use session id to identify user ?

Posted: Sun May 21, 2006 6:25 pm
by Milan
is it smart enough to use session id to identify user when he wants to change his user details.

For example, if i read the username value from the cookie and then alow user to change data on his page can someone else put some username in a cookie on their machine and then modify other people's info?

I was thinking about storing the session info in the table and then to compare if username in the cookie matches the active session ID i have in the table?

what do you guys think?

Re: is it smart enough to use session id to identify user ?

Posted: Sun May 21, 2006 8:36 pm
by bdlang
Milan wrote:is it smart enough to use session id to identify user when he wants to change his user details.
No. it is strongly recommended to have the user re-login to verify credentials and change / view any of their information. It is usually enough, however, to identify them from script -to- script when viewing the site.
For example, if i read the username value from the cookie and then alow user to change data on his page can someone else put some username in a cookie on their machine and then modify other people's info?
This is technically possible, yes. Maybe not very probable given certain situations but do you want to take the chance?
I was thinking about storing the session info in the table and then to compare if username in the cookie matches the active session ID i have in the table?
Again, this is fine for general identification, tracking the user on the site, etc.