Is it safe to store sensitive data inside a session variable? Or can it be modified by the client?
Share
Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
Is it safe to store sensitive data inside a session variable? Or can it be modified by the client?
The session’s data is stored on the server (generally, in files).
So, it can not be modified by the client — except if you have a security hole, of course ; but, if that’s the case, people will most probably prefer modifying something more critical, like data in your database.
Though, as it’s generally stored in files on your server, if you are using some kind of shared hosting, other users on your server might be able to see the sessions’ files… At least, if your hosting service didn’t configure the server so each user is in isolation.