How much can you trust in the value of $ _SESSION?

Question

When a user is authorized in the $_SESSION , his id written in the form of $_SESSION['id'] (this is not the PHPSESSID , this is the id from the database)

Task: allow actions to the user only if he is on his own page, for example, service.info/?id=1 (with his id=1 ).

Question: How safe is this test?

 if ($_SESSION['id'] == $_GET['id']) { // some HTML-code }

As far as I understand, $_SESSION['id'] is on the server and a user with a different id cannot replace the value in the $ _SESSION array, but is it? (The question does not negate the need for a full-scale check when making changes to the database, we are talking about the display of additional interface elements).

Yes, the data is on the server, another user cannot replace the values (unless the current ID is stolen), the check is safe.
Here ( intsystem.org/security/nikogda-ne-doveryaj-svoim-polzovatelyam ), discussing the post ( forum.antichat.ru/threads/72298/#post-713797 ), write that everything is not so simple.
You can break a lot, however, if you do not allow XSS injections, it is almost impossible and very expensive.

Mrak Mrak 1.708 four 9 · Accepted Answer · 2016-09-22T15:47:23

It is completely safe. So it should be done

 if($page["owner_id"] == $_SESSION['id']) // ...

If money is spinning, you can add https, tokens, etc. etc.

I accept the answer and thank @cheops for giving the same answer.

How much can you trust in the value of $ _SESSION?

1 answer 1

More articles: