I am currently doing a website in php, we are using a Session variable

Question

Asked: May 16, 20262026-05-16T02:45:35+00:00 2026-05-16T02:45:35+00:00

I am currently doing a website in php, we are using a Session variable to store the permission level of each user.

For example, if any one of you would go on the website, you would automatically get a session variable with a value of “member”.

What I am asking is: Is it possible for an attacker to go on the website and modify the value of the session variable for “admin” instead of “member”

I am not asking how, just if it is possible, and if so what kind of special access would the attacker would need (ex: access to the code, ….)

I have an alternative solution, which would be to replace the permission value with a token that would expire over time.

The second solution is way longer to implement.

Thanks for your help!

You must login to add an answer.

Need An Account,

Editorial Team · Answer 1 · 2026-05-16T02:45:36+00:00

Editorial Team

No, unless:

The attacker had access to the storage of the session variables (usually the filesystem of the server, but could also be e.g. a database)
The attacker intercepted a session cookie of a more privileged user.
The attacker successful fixated the session of a more privileged user (see session fixation attacks).

The Archive Base Latest Questions