Can a user alter the value of $_SESSION in PHP?

Question

this is crossing my mind and I\'m wondering if it is possible, how secure can it be to store info in the $_SESSION variable of PHP?

Answer 1

Storing variables in the $_SESSION variable has two potentials for "insecurity".

• The first as described by the other answer is called "session fixation". The idea here is that since the session ID is stored in a cookie, the ID can be changed to that of another user's. This is not a problem if a user gets a new ID every single session therefore making it very difficult to find an ID of a currently working session and hijack it.
• The second depends entirely on your code. If your code leaks the values of the secret information you store in $_SESSION then it is insecure. If your code allows the user to control the values of that information it is insecure. Otherwise if something is in the $_SESSION variable and your code never allows the user to see it or write to it then it is secure.