Home/ Questions/Q 8059729
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-05T09:45:43+00:00

I made a user authentification script for a password protected page. In the first

  • 0

I made a user authentification script for a password protected page.

In the first version of my script I started by checking if the user name and password matched the ones in the database and if yes, set a $_SESSION[‘user_connected’] variable as well as a $_COOKIE[‘user_connected’] variable to TRUE. My index.php file started by verifying if $_COOKIE[‘user_connected’] was set and then bypassed the database check if true.

I then realized cookies were accessible by the user and someone could simply set $_COOKIE[‘user_connected’] to TRUE before accessing the site and chaos would ensue. But what about the $_SESSION variables ? Can I securely use them to check throughout the website if the user is connected ?

tl;dr : Can users modify $_SESSION variables ?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    No.

    They are stored on the server and only editable by scripts running on the server.

    The user only gets a token that identifies which bundle of data is associated with them.

    • 0