Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I’m using php sesions with mongodb by defining the
session_set_save_handler()
if every user has a role (client, admin, employee) ,
with every page I load after getting the session id i’m checking the value of the role
is this a secure approach ? or they can by pass that ?
The session data should contain the “state” (i.e. logged in or not logged in) of a user, but not specific details like a user’s role.
So once a user is authenticated, you can then lookup information on the user in the database. If that user has the required role, then load the page; if not, then don’t.
What you shouldn’t be doing is logging the user in, creating a session for that user and also storing in that session the role. If you do it this way, you’re potentially leaving your website vulnerable to loop-holes (especially on shared hosting). Also, what if a user’s role changes during the lifetime of the session? Either you ask the user to login again, or the change in role isn’t actually “registered” until the session is destroyed (which could be long time, depending on configuration).