I have a security concern.
Throughout my system i keep the user's id in the session, and every modification to the database is based on the session.
Know the session id is not even encrypted.
Is this a bad practice?
I would suppose that a hacker could inject sombody esle's id in the session(say the id of some admin) and then change their password.
unsubscribe/subscribe/forgotpassword security
Moderator: General Moderators
Good.murlopaz wrote:Throughout my system i keep the user's id in the session, and every modification to the database is based on the session.
No. Can you explain what the SID is for? What would "encryption" change? Encrypt how exactly, and swap keys how exactly?[s]K[/s]now the session id is not even encrypted. Is this a bad practice?
Could be, could be not. Try to do it yourself and see what happens. Read your code. How is the userId written into the session? Does this happen in a manner that is controllable by the user?I would suppose that a hacker could inject sombody esle's id in the session(say the id of some admin) and then change their password.
I am sorry. By session id i meant the id of the user that is stored in the session.
Like:
Whenever there is a need to change some information about the user, the session["id"] is user for that purpose.
Like:
Code: Select all
$_session["id"]=23;Okay then, just ignore the second part of my answer and concentrate on the third part.
If the user has control on what id is written in the session - bad. If not - good. Whether the user has control depends on your specific code, but normally the id would be SELECT-ed from the database (based on user credentials) and stored in the session, which means the user/attacker has no control over the id.
If the user has control on what id is written in the session - bad. If not - good. Whether the user has control depends on your specific code, but normally the id would be SELECT-ed from the database (based on user credentials) and stored in the session, which means the user/attacker has no control over the id.
yes the id is selected from the database when the user provides the correct credentials...
My concern was, that there would be a way to change a value of the session i.e. ID, after the user is logged in already.
Suppose that the id is kept in a cookie. The user can easily modify the id of the cookie to something else.
Everything else is straight forward...
My concern was, that there would be a way to change a value of the session i.e. ID, after the user is logged in already.
Suppose that the id is kept in a cookie. The user can easily modify the id of the cookie to something else.
Everything else is straight forward...