Home/ Questions/Q 970147
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-16T02:45:35+00:00

I am currently doing a website in php, we are using a Session variable

  • 0

I am currently doing a website in php, we are using a Session variable to store the permission level of each user.

For example, if any one of you would go on the website, you would automatically get a session variable with a value of “member”.

What I am asking is: Is it possible for an attacker to go on the website and modify the value of the session variable for “admin” instead of “member”

I am not asking how, just if it is possible, and if so what kind of special access would the attacker would need (ex: access to the code, ….)

I have an alternative solution, which would be to replace the permission value with a token that would expire over time.

The second solution is way longer to implement.

Thanks for your help!

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    No, unless:

    • The attacker had access to the storage of the session variables (usually the filesystem of the server, but could also be e.g. a database)
    • The attacker intercepted a session cookie of a more privileged user.
    • The attacker successful fixated the session of a more privileged user (see session fixation attacks).
    • 0