Posted by pim on 11/11/30 12:00

Dear All,

What I was wondering is how safe it is to store user_id or username or
anything like that in session. I usualy store a bunch of info in a
session so I do not need to search the database all the time. However,
is it easy to change a value after being logged in?

For example:
- A user logs in
- Now set is: $_SESSION["user_id"] = 34;
- If he opens his "Profile page", the websites collects all personal
information from table users where user_id = 34

But according to this article:
http://www.governmentsecurity.org/archive/t13901.html

It is easy to change $_SESSION["user_id"] to for example 78.
So, that means that once you are logged in and change your own
user_id, you can see personal information from other users.


Is this really possible? If so, I can imagine I would use a temporary
table with temporary hashes where user_ids will be stored next to a
temporary hash. However, this is much more work and database traffic
which will slow down the system dramatically.

So... Is $_SESSION["user_id"] = 34 safe enough?

Kind regards,


Pim Zeekoers

[Back to original message]