Can a user alter the value of $_SESSION in PHP?
Storing variables in the $_SESSION variable has two potentials for "insecurity".
- The first as described by the other answer is called "session fixation". The idea here is that since the session ID is stored in a cookie, the ID can be changed to that of another user's. This is not a problem if a user gets a new ID every single session therefore making it very difficult to find an ID of a currently working session and hijack it.
- The second depends entirely on your code. If your code leaks the values of the secret information you store in $_SESSION then it is insecure. If your code allows the user to control the values of that information it is insecure. Otherwise if something is in the $_SESSION variable and your code never allows the user to see it or write to it then it is secure.
Is php session unchangeable from user end?
$_SESSION is saved in the server, so the user cannot modify it ( Except the case of session hijacking)
Can a user modify a PHP session?
No. The data in the $_SESSION variable is stored on the server, inaccessible from the user.
A session is coupled to a user through a cookie. A cookie with a identifier (i.e. a long random string) is sent to the user to identify the user and link him to his session. If somebody else gains access to this cookie, he can use that same code to pretent he is the user, and that way he can get in without the password.
Is it possible to change a $_SESSION variable client-side?
PHP is a server-side programming language and the $_SESSION superglobal is only directly accessible on the server. With 'normal' php sessions, the data contained in the SESSON superglobal is passed back and forth between the browser and the server in a cookie. So technically, it is possible to modify the session with Javascript in a web browser by modifying the cookie.
But please note, any attempt to do anything like this is probably a terrible idea and there's most likely a far more simple way to accomplish whatever you're trying to do.
Edit: This question I asked may be of use to you
Codeigniter/PHP sessions security question
Is it possible to modify the $_SESSION variable?
Yes, by using another user's session data, as shown here: http://phpsec.org/projects/guide/4.html
Change SESSION variable value
This is what you wrote:
if (isset($_SESSION['can'])) {
session_start();
session_start
is the function which reads the session file associated with the user's PHPSESSID
cookie and populates $_SESSION
, so you're trying to read from the array before it has any values.
You need to call session_start
before you check if $_SESSION['can']
has a value.
You also do not need to destroy and create a new session just to change a value.
<?php
session_start();
if (isset($_SESSION['can'])) {
$_SESSION['can'] = 2;
} else {
$_SESSION['can'] = 1;
}
header('Location: '. $_SERVER['HTTP_REFERER'] . '');
?>
PHP Session: How to Edit Other user's Session / Editting Session file
You can modify another users session (see below), although personally, I would recommend against it. As I imagine it can open up a whole world of session hijacking and other vulnerabilities.
With your example use case
A common user is logged, while in the same time an administrator uses the Admin functions and change some value for this user. If the value is not something obtained from the database every time, the session variable for that current logged in user need to have its value changed.
You would be better of updating the value in the database and then just checking to see if it's changed before you process the next page.
If you don't want to be checking multiple user fields before each page load then when you update the user in the admin panel, you can build a hash of the values and add it to a new column called session_hash. Then just compare this field on page load
But if you still want to modify another user's session, you can set your current session_id
to the targets.
// End my current session and save its id
session_start();
$my_session_id = session_id();
session_write_close();
// Modify our target session
session_id($target_id);
session_start();
$_SESSION['is_logged_in'] = false;
session_write_close();
// Start our old session again
session_id($my_session_id);
session_start();
EDIT
Example: https://www.samdjames.uk/session_example/index.php
Example Src: https://gist.github.com/SamJUK/c220e3742487567c6262238edf85695e
Update session variable in php
When you upload the user image you update the content in the table to the associated user. However, you do not update the session variable with the corresponding value.
After you have ran the query successfully, before you return the success message, set the value of the session variable, like so:
[...]
$_SESSION['userpic'] = $userpic;
echo '<div id = "check"> Your image was succesfully uploaded</div>';
[...]
Edit: Note that the changing of the image will not happen on THIS pageload, it will happen after. This is because you are using the previous value up until this point.
It is a common approach to do a complete page load/redirect when you have finished a request. For example, you can store the output message in a session variable, redirect the user and then check if there are any messages to output.
Sample:
[...]
$sql->execute();
$sql->close();
$con->close();
$_SESSION['userpic'] = $userpic;
$_SESSION['messages'] = '<div id = "check"> Your image was succesfully uploaded</div>';
header("Location: index.php");
Then, somewhere in your index.php
where you want to the message to be, you add something like this:
if (isset($_SESSION['messages']) and strlen($_SESSION['messages']) > 0) {
echo $_SESSION['messages'];
unset($_SESSION['messages']);
}
Related Topics
Customize Addresses Fields on Woocommerce My Account and Checkout
Prevent PHP Script from Being Flooded
How to Use Curl and PHP Simple HTML Dom Parser with Object
How to Select Rows in MySQL Starting at a Given Row Number
JSON_Decode() Returns Null Issues
How to Get MySQL 8 to Run with Laravel
How to Easily Convert Dates from Utc via PHP
Display Thumbnailphoto from Active Directory in PHP
PHP Authentication with Multiple Domains and Subdomains
Php: Limit Foreach() Statement
Fetching Mail from a Pop3 Server Using PHP
PHP Rename Array Keys in Multidimensional Array