Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
When having user login to the site I need to somehow store the logged in user id so that my site can generate different content for different users.
Is it secure to save a user’s id in a $_SESSION[] variable?
Is it possible for a user to change the $_SESSION[] data and pretend to be another user?
I use the id to check which data I should fetch from the database and to see which permissions the user has.
Best and accepted practice is to save the user id in the session.
The session is by default stored in
/tmpas a file. It is not view able by the end user unless you have security issues such as directory traversal vulnerabilities. Most applications use$_SESSIONas you are. If there where a wide spread weakness then major projects would be doing things differently. You don’t have to worry about server-side Session value being obtained through a client-side exploit. Also keep in mind the simplicity of using the session as well. It makes data access to user specific data that you need to access constantly, standard and consistent throughout your application.