Session injection?
All session variables in PHP are stored server side. The client stores a cookie that references which session should be used, and then the server looks up the values for the session. It is safe to store is_logged_in in your session as well as the user id.
What you should be aware of is if another user gets a hold of another user's session cookie, they will be able to imitate that user until the session times out. One simple solution is to link sessions to IPs.
Luis
Updated on June 27, 2022Comments
-
Luis about 2 years
How should I host the id of the user on the session? just to insert the id? I mean (for example):
$_SESSION['id'] = 1;
There isn't a way to change it by the user himself (as cookie..)? Because if so, he can change to any id.
One more question about it - how can I check if user is logged in (with sessions)? I created a session:
$_SESSION['is_logged_in'] = true;
Again, can't the user just create a session which his name is 'is_logged_in' and his value is true? or just the server has a control about the value of the server?
-
another almost 7 yearsCheck @Charles answer. "locking a session to an IP address may accidentally alienate people. "
-
Rick about 4 yearsI must say that I have used this method before as well, in conjunction with the user-agent. Problem with IP addresses is that mobile users on the go will/can experience regular logouts.