Can a User Alter the Value of $_Session in PHP

Can a user alter the value of $_SESSION in PHP?

Storing variables in the $_SESSION variable has two potentials for "insecurity".

• The first as described by the other answer is called "session fixation". The idea here is that since the session ID is stored in a cookie, the ID can be changed to that of another user's. This is not a problem if a user gets a new ID every single session therefore making it very difficult to find an ID of a currently working session and hijack it.
• The second depends entirely on your code. If your code leaks the values of the secret information you store in $_SESSION then it is insecure. If your code allows the user to control the values of that information it is insecure. Otherwise if something is in the $_SESSION variable and your code never allows the user to see it or write to it then it is secure.

Is php session unchangeable from user end?

$_SESSION is saved in the server, so the user cannot modify it ( Except the case of session hijacking)

Can a user modify a PHP session?

No. The data in the $_SESSION variable is stored on the server, inaccessible from the user.

A session is coupled to a user through a cookie. A cookie with a identifier (i.e. a long random string) is sent to the user to identify the user and link him to his session. If somebody else gains access to this cookie, he can use that same code to pretent he is the user, and that way he can get in without the password.

Is it possible to change a $_SESSION variable client-side?

PHP is a server-side programming language and the $_SESSION superglobal is only directly accessible on the server. With 'normal' php sessions, the data contained in the SESSON superglobal is passed back and forth between the browser and the server in a cookie. So technically, it is possible to modify the session with Javascript in a web browser by modifying the cookie.

But please note, any attempt to do anything like this is probably a terrible idea and there's most likely a far more simple way to accomplish whatever you're trying to do.

Edit: This question I asked may be of use to you
Codeigniter/PHP sessions security question

Is it possible to modify the $_SESSION variable?

Yes, by using another user's session data, as shown here: http://phpsec.org/projects/guide/4.html

Change SESSION variable value

This is what you wrote:

if (isset($_SESSION['can'])) {
    session_start();

session_start is the function which reads the session file associated with the user's PHPSESSID cookie and populates $_SESSION, so you're trying to read from the array before it has any values.

You need to call session_start before you check if $_SESSION['can'] has a value.

You also do not need to destroy and create a new session just to change a value.

<?php
session_start();
if (isset($_SESSION['can'])) {
    $_SESSION['can'] = 2;
} else {
    $_SESSION['can'] = 1;
}
header('Location: '. $_SERVER['HTTP_REFERER'] . '');
?>

PHP Session: How to Edit Other user's Session / Editting Session file

You can modify another users session (see below), although personally, I would recommend against it. As I imagine it can open up a whole world of session hijacking and other vulnerabilities.

With your example use case

A common user is logged, while in the same time an administrator uses the Admin functions and change some value for this user. If the value is not something obtained from the database every time, the session variable for that current logged in user need to have its value changed.

You would be better of updating the value in the database and then just checking to see if it's changed before you process the next page.
If you don't want to be checking multiple user fields before each page load then when you update the user in the admin panel, you can build a hash of the values and add it to a new column called session_hash. Then just compare this field on page load

But if you still want to modify another user's session, you can set your current session_id to the targets.

// End my current session and save its id
session_start();
$my_session_id = session_id();
session_write_close();

// Modify our target session 
session_id($target_id);
session_start();
$_SESSION['is_logged_in'] = false;
session_write_close();

// Start our old session again
session_id($my_session_id);
session_start();

EDIT

Example: https://www.samdjames.uk/session_example/index.php

Example Src: https://gist.github.com/SamJUK/c220e3742487567c6262238edf85695e

Update session variable in php

When you upload the user image you update the content in the table to the associated user. However, you do not update the session variable with the corresponding value.

After you have ran the query successfully, before you return the success message, set the value of the session variable, like so:

[...]
$_SESSION['userpic'] = $userpic;
echo '<div id = "check"> Your image was succesfully uploaded</div>';
[...]

Edit: Note that the changing of the image will not happen on THIS pageload, it will happen after. This is because you are using the previous value up until this point.

It is a common approach to do a complete page load/redirect when you have finished a request. For example, you can store the output message in a session variable, redirect the user and then check if there are any messages to output.

Sample:

[...]
$sql->execute(); 
$sql->close();
$con->close();
$_SESSION['userpic'] = $userpic;
$_SESSION['messages'] = '<div id = "check"> Your image was succesfully uploaded</div>';
header("Location: index.php");

Then, somewhere in your index.php where you want to the message to be, you add something like this:

if (isset($_SESSION['messages']) and strlen($_SESSION['messages']) > 0) {
    echo $_SESSION['messages'];
    unset($_SESSION['messages']);
}

---

Related Topics