Level 23
sessions are stored on your server - & can be modified using your code only* so i guess the question is how 'secure' is your code
(*or if they have gained access to your server in which case this is least of your worries)
Oct 24, 2017
5
Level 50
Session attributes safety
Hi,
It is probably an easy one but I guess no harm asking:
When I store some variables in a session, how easy it is for a user to amend them? For instance if I store an expiry date and need it 2 steps down the road, how easy it will be for a user to chack it and extend the expiry date of his subscription?
Level 122
it's private to your server, but only for as long as the session lasts
Level 50
Ok but once the expire the server will generate a new session and therefore overwrite the values. I understand that mistake will be to keep something super secret in session since it can be accessed while session expires... is that correct @Snapey ?
Level 122
Session is private to your server. Your users cannot get anything from there unless you send it to them.
If you keep something super secret in session that's fine as long as you can recreate it when you need to because session is very temporary
Level 43
You can double check. Store expiration date in the session and the database as well. Then, if the user deletes that session key, go to the database, check and create a new session.
Then, you can update the session daily, so even if the user modifies the session (unlikely), the next day your app will update the session with correct data from the database.
Never trust the user with sensitive information. You are already running a query to grab authenticated user from the database on each request by default. Might as well store expiration_date to the database and update on each request.
Please or to participate in this conversation.