Page 1 of 1

Session security question

Posted: Sun May 16, 2010 1:45 pm
by JonnySnip3rz
Hey guys, im pretty new to php programming so no flaming haha! Iknow that sessions are stored on the server, however im wondering this. I have created a login and a while loop pulls the info from the database where username = username blah blah anyways i store carious information in sessions i store the users Full Name, Users Email, Username and their rank. if their rank is 0 then they are standard member else admin now can a user change their session values so they could change it to maybe 1 and then they would have admin sstatus is this safe or is there a better way of doing this?

Hope someone can help thanks :)

Re: Session security question

Posted: Tue May 18, 2010 11:12 am
by social_experiment
You could set the rank of admin (or normal user) in a database and with each 'authorization' check see if the value retrieved from the database matches the value set in a session variable. In the event of someone tampering with the value and if a match between database value and session variable cannot be found, you inform the user.

Code: Select all

<?php //retrieve value from database
 if ($_SESSION['rank'] != $rankFromDatabase) {
  //do something
 } ?>
Naturally this wouldn't be the only check but an additional precaution against such tampering.

Re: Session security question

Posted: Wed May 19, 2010 1:27 am
by JonnySnip3rz
Thanks dude :) for the reply!