Welcome Guest, Not a member yet? Register   Sign In
Is Session a safe place to store data ?
#13

Ah, no it meant that if you store in your cookie, user_id=3 say, if I log in, get a valid session, and change that cookie value to 4, or 5, or 10, or 2, what user will the system think I am. Valid session, valid user id, must be user 5 or 6 - yes? No. It is user 3 mucking about with the cookie.

However, if I check the cookie and find user id = HGKJHIE9353hkb3452kjb I can try altering it, but chances are I am not going to find a valid string. Also, that string can be checked against the stored string in the current session.

Also, if I join and find I am user_id=237, I can have a pretty solid idea of the maximum number of users that site has, which might be information you do not want to share.

Hope that helps,

Paul.
Reply


Messages In This Thread
RE: Is Session a safe place to store data ? - by PaulD - 07-25-2016, 03:53 PM



Theme © iAndrew 2016 - Forum software by © MyBB