faking session data

From: Marcus <JumpMan222@xxxxxxx>
Date: Tue, 30 Aug 2005 18:25:15 GMT

Hello all,

I have written numerous functions that check all user entered data on my site via POST and GET. My question is this: once my data checks out as being valid, I sometimes store it in SESSION as I move between pages, and eventually use the values in SESSION to update my database. Do I need to re-check the values in SESSION to make sure they are still valid before updating the database? In other words, I know session data resides on the server, but how possible/likely is it that a malicious user could fake session data after or in lieu of my initial error checks? All pages are protected by SSL if that makes any difference. Thanks in advance.

Marcus
.

Follow-Ups:
- Re: faking session data
  - From: Bert Melis
- Re: faking session data
  - From: Gordon Burditt
- Re: faking session data
  - From: Kimmo Laine

Prev by Date: PHP Web Application "Job Hunter" Updated And Available
Next by Date: Re: Re : Sécurité des fichiers sur un serveur / files security on server
Previous by thread: PHP Web Application "Job Hunter" Updated And Available
Next by thread: Re: faking session data
Index(es):
- Date
- Thread

Relevant Pages

Re: faking session data
... Marcus wrote: ... I have written numerous functions that check all user entered data on my site via POST and GET. ... once my data checks out as being valid, I sometimes store it in SESSION as I move between pages, and eventually use the values in SESSION to update my database. ... the client could fake the id and hijack another session. ...
(comp.lang.php)
Re: Please! Doesnt anyone know a better way to do this?
... account, they need to automatically be directed to the page to enter data ... session variable on the Account page. ... I assume here that you're checking a database when the user attempts to ... When a new user attempts to login or clicks to register, ...
(microsoft.public.dotnet.framework.aspnet)
Re: Retrieving state information from a middle tier
... Now this very first call can make session root entry into an xml file like ... We have a middle tier which is made up ... > The current implementation only allows for one database to be served up. ... > longer use the middle tier as the source of the connection properties. ...
(microsoft.public.dotnet.framework.aspnet)
Re: Horizontal scaling - advice needed
... the session can be unambiguously proxied to the right backend server, ... To start with have a single database machine. ... Full database clustering is challenging, but if your site is making you lots ... For transient session state, ...
(comp.lang.ruby)
Re: VirtualPathProvider and Application Restart
... the session state to the Database Server and move a lot of lightweight ... to unload it from the AppDomain. ... When you update an ASPX file, ...
(microsoft.public.dotnet.framework.aspnet)