Security of $_SESSION array

Question

When a low-privilege non-administrator user logs into my web app successfully, I am storing the following data in the $_SESSION array:

$_SESSION         


        

Answer 1

The contents of the session are only visible and modifiable on the server side.

They could only be modified in an "unauthorized" way if your application or server contains some vulnerability.

You should also be aware of such things as session fixation attacks, where an attacker forces a particular session id onto an unsuspecting user, who when logs in and elevates that session's privileges, allowing an attacker to share that session.

One approach to mitigating these is to regenerate the session id whenever you change privilege levels of the session.

See also this question:

• PHP Session Security