-1

I know there is a lot of session security questions but I want to know if my specific situation is secure.

In my website the users log in with the steamWebAPI and openID. It sends me $_SESSION['steamID64'].

I use this steamID64 as full authentification, for instance :

if($_SESSION['steamID64'] == [my steam id]) {
    showAdminPanel();
}

Can a hacker get my session id and change it in his cookies so the website think he is me ?

Do you have some advices for me ?

Jon Clements
  • 138,671
  • 33
  • 247
  • 280
Maarethyu
  • 83
  • 1
  • 9

1 Answers1

1

Session is server side and cannot be changed like cookies. The session_id can be stolen by a hacker to tell the server load an specific session for me from server storage.

HTTP_ONLY sessions cannot be stolen by javascript. It seems to be a good way to login admin and also try === that can be more secure this way.

Mahdyfo
  • 1,155
  • 7
  • 18