Is it secure to use
If ($_SESSION['authenticated'] == true) {
/////Show secure page
}
Can someone just go and change where the session variable is stored to make their $_SESSION[‘autheticated’] = to true?
Same thing with a user having $_SESSION[‘id’] = to their index id. How would I be able to make this securer?
Could someone just go and change the id value and impersonate another user?
Would the below method be the right way to make something securer?
$_SESSION['random_check'] = (random number)
and also store this in a column in my database and each time I would
If ($_SESSION['authenticated'] == true && $_SESSION['random_check'] == random_number ) {
/////Then show secure page
}
Thanks,
I’m pretty sure Session in most hosting is just an interface to your filesystem, i.e. all Session data is stored in the server’s hard disk, if you look at
phpinfo()output, you can have a look at where the actual path of Session data is.With that said, unless you chmod your session path to 777 and the attacker happens to know where you are hosting your app and has the login, then I don’t think it’s much of an issue.
The bigger issue here is securing your cookie as it’s the piece of information that’s going back and forth through your server and client, which attackers can use to impersonate legit users.