[02/03] session security

[Techno]

hi.

I've been having many arguments and debates with myself, often ending up in a good beating lol.

When I add an object into a session, I am also trying to prevent from the user on the client to hack in (impersonating some other user or whatever).

My object basically is a userdetails object, which contains a unique session ID. The session ID is always passed from page to page and on each page load it checks to see if the session ID passed in the querystring, matches the current user details Session ID.

But now I am thinking, and probably right so, it is a bit silly or extreme to do this.

Is leaving an object in session secure enough? IS there any way of the client to "wipe" or modify that data? (except when they log off)

[penagate]

Nope, it's stored on the server.

Only the session ID is stored client side (usually either in a cookie or the query string) and although the user can modify that it's extremely unlikely that they will somehow hit another user's session. If you are worried about that you can do a simple IP vs session ID log and that will pretty much eliminate any last chance of circumventing the system.

[Techno]

ok, i thought so. so i guess ill take out all the session ID checks I Do on each page!!