Home/ Questions/Q 324999
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-12T09:10:32+00:00

When a low-privilege non-administrator user logs into my web app successfully, I am storing

  • 0

When a low-privilege non-administrator user logs into my web app successfully, I am storing the following data in the $_SESSION array:

$_SESSION = array(
    'user_id'     => 2343,  // whatever their user_id number is from the DB
    'allow_admin' => false, // don't give them access to admin tools
    'allow_edit'  => false, // don't let them edit stuff
    );

Is there any way that they could manipulate the $_SESSION array to give them Admin or Edit access, apart from somehow editing the session files in /tmp? (The above code is the only place where those items are added to $_SESSION)

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    The contents of the session are only visible and modifiable on the server side.

    They could only be modified in an "unauthorized" way if your application or server contains some vulnerability.

    You should also be aware of such things as session fixation attacks, where an attacker forces a particular session id onto an unsuspecting user, who when logs in and elevates that session’s privileges, allowing an attacker to share that session.

    One approach to mitigating these is to regenerate the session id whenever you change privilege levels of the session.

    See also this question:

    • 0