3

Background story: We run a website with thousands of users and a handful of admins. Some of these admins don't need all-access to the website, so I want to restrict their access by giving them individual permissions.

My plan is to set a Session on user login with the users perimissions, if given any. However, I'm concerned that this might be an unsafe action.

Can a Session be manipulated by a user client side? In this case a regular user could gain access to the admin features if they knew the permission names and set a Session for themselves.

I found some related questions on Stackoverflow, but they didn't give give me enough information on the subject.

KlaasJan
  • 193
  • 2
  • 12
  • You are already providing the login for admins and users so save type of permission they have and give them rights to modify data according that..And as long as your session state is encrypted it is very hard to manuplate on client side.. – Garry Feb 12 '13 at 14:28
  • Yes,The Session can be manipulated by a user client side, first of all i suggest you to use HTTPS and not HTTP.Next you can use tokens with a limit time for each operation you do. – One Man Crew Feb 12 '13 at 14:31
  • My reason for saving the permissions in a Session rather than just SELECTing the permissions on every page load is just performance. That's why I wanna know if I can trust Sessions enough to hold the data from my permissions table. You say "[...] it is very hard to manipulate on client side" - can I read that as it's basically impossible or it's easy to do? I know cookies are farely easy to manipulate client side. Is this the same? – KlaasJan Feb 12 '13 at 14:33
  • Every session will have SessionID. And Session ID is a unique number, server assigns to a specific user, during his visit(session). And defaultely, session ID is attached to a cookie and this cookie will be shared from client to server (and server to client) during its requests/responses. And server will identify session based on session id which is retrieved from cookie. – Garry Feb 12 '13 at 14:35

2 Answers2

2

You are already providing the login for admins and users so save type of permission they have and give them rights to modify data according that..And as long as your session state is encrypted it is very hard to manipulate on client side. If you have concern about security of your existing session and cookies here is link to make it secure. Secure your Session

This is full Article how to make your session and cookies secure...

Garry
  • 4,996
  • 5
  • 32
  • 44
0

You can indeed store server variables such as the user-agent, the ip address and so forth (and even JavaScript variables), but they are only good for validating that the persistent cookie data matches the client's new connection. The ip address isn't a good idea except when you know that the client (like you only) isn't going to change on every page load (a la AOL).

Modern web browsers and 3rd party services like LastPass can store login credentials that only require a key press (and sometimes not even that) to send the data to the login form. Persistent cookies are only good for those people who refuse to use what's available otherwise. In the end, persistent, non-session cookies are not really required anymore.

There is no such thing as secure cookie UNLESS it's transmitted over SSL only. It can be mitigated some when using a persistent non-session cookie (like remember me), by doing exactly what you're doing, but not in the same way you're thinking of doing it.

One Man Crew
  • 9,420
  • 2
  • 42
  • 51
  • SSL would be best, but you can get a pretty good system by using an encryption scheme ... – Garry Feb 12 '13 at 14:39