I am new to Sessions and I am concern about the security.
My question is if the use of Sessions is secure enough, so that a user will not be able to change the values from page1 to page2 with the use of a plugin or any advanced methods.
My purpose is to clear up my mind on what to choose between
- to pass all the needed variables through sessions or
- to pass only the id through post/get and get the needed data from
the database.
What I do is to in page1.php to submit $name and on page2.php $_POST['name'].
Session data is stored on the server. The only session-related data that should EVER be sent to the user is the session ID token – this is generally a randomly generated string, and is basically meaningless by itself.
Unless your code provides a method for a user to directly change a value in the session, it is impossible for a user to change the session data unless they hack the server.