Welcome Guest, Not a member yet? Register   Sign In
Is Session a safe place to store data ?
#14

(07-25-2016, 03:53 PM)PaulD Wrote: Ah, no it meant that if you store in your cookie, user_id=3 say, if I log in, get a valid session, and change that cookie value to 4, or 5, or 10, or 2, what user will the system think I am. Valid session, valid user id, must be user 5 or 6 - yes? No. It is user 3 mucking about with the cookie.

However, if I check the cookie and find user id = HGKJHIE9353hkb3452kjb I can try altering it, but chances are I am not going to find a valid string. Also, that string can be checked against the stored string in the current session.

Also, if I join and find I am user_id=237, I can have a pretty solid idea of the maximum number of users that site has, which might be information you do not want to share.

Hope that helps,

Paul.

Haaa ok... Yes that would be bad... Well I never worried much about Ion Auth since it had good reputation and was made by Ben Edmunds.

I just checked my cookies in chrome and I have:
ci_session, identity, remember_code
Identity has my user e-mail though. I assume if I change this to another user I can't take over his account right? I really don't know how Ion Auth is working internally...
Reply


Messages In This Thread
RE: Is Session a safe place to store data ? - by Ivo Miranda - 07-25-2016, 04:13 PM



Theme © iAndrew 2016 - Forum software by © MyBB