Home/ Questions/Q 7542227
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-30T08:06:40+00:00

I use a user management script with Sessions the session object $loggedInUser contains these

  • 0

I use a user management script with Sessions

the session object $loggedInUser contains these properties:

$loggedInUser->email
$loggedInUser->user_id 
$loggedInUser->hash_pw 
$loggedInUser->clean_username

the users are able to submit from ‘form.php’ data through POST to
the processing script ‘process.php

‘form.php’ has access to the before mentioned Session object.
This is the Cookie which is currently submitted at sending the form:

PHPSESSID=7ec81164c9fb2cdc4c6f47a00bc2ae50

Question:

How do I secure the ‘process.php’ to savely allow only logged-in users to submit data?

*As far as i know, ‘process.php’ is only accessed by my server and not the user, therefor i have to submit the Session Object either through Cookie, Get or Post which are all easy to tamper with, is that right?*

In which way, if appropriate, would you use the submitted Cookie or check the validation?

ATM its easy possible, knowing the path to the ‘process.php’, to “fake” a submit without logged-in Status.

Thank you for some words of wisdom 🙂 from experienced programmers.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Store $loggedInUser in session and check $_SESSION['loggedInUser']->isLoggedIn() (or however you normally determine if a user is logged in) in process.php.

    Attackers can spoof the session_id, but not its contents. https://www.owasp.org/index.php/Session_fixation

    • 0