Home/ Questions/Q 813531
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-15T01:22:30+00:00

In my PHP Web-App I use sessions to store the user’s data. For exmaple,

  • 0

In my PHP Web-App I use sessions to store the user’s data. For exmaple, if a user logs in, then an instance of the User class is generated and stored in a Session.

I have access levels associated with each user to determine their privileges.

Store the user in a session by: 

$_SESSION['currentUser'] = new User($_POST['username']);

For example:

if($_SESSION['currentUser'] -> getAccessLevel() == 1)
{
  //allow administration functions
}

where getAccessLevel() is simply a get method in the User class that returns the _accesslevel member variable.

Is this secure? Or can the client somehow modify their access level through session manipulation of some sort?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    No, the client cannot modify their access level. The only thing stored on the client is the session key which is either propagated via cookie or GET parameter. The session key ties to a corresponding session record which is a file stored on the server side (usually in a temp directory) which contains the ‘punch’.
    What you don’t want, is for a session key to get leaked to a third party:

    A leaked session id enables the third
    party to access all resources which
    are associated with a specific id.

    Take a look at this: http://www.php.net/manual/en/session.security.php

    • 0