change the value of session variable manually

tyuret used Ask the Experts™
Can a user change the value of a session variable manually and continue with this new value?
Do I have to make it read only  (if  I can) when creating session variables?

Thank you
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
if you write code for it, you can change it, session variables are kept at the server side so they are normally safe (eg used to kept the login state of a user etc...)
session variables can only be changed at server. Only your server side script can make changes into session variables.
Most Valuable Expert 2011
Top Expert 2016
Don't worry about your client changing the content of a session variable.  Here is the quick tour.

1. Start all of your scripts unconditionally with this function call: session_start();
2. Put information into the $_SESSION array
3. Expect to find the information in all of the scripts for as long as the client has a browser open to your site.

All the usual caveats apply about things like accepting unfiltered external data.  You can use sanity checks on the contents of $_SESSION if you want.  But in practice this is not likely to be necessary.
Mohamed AbowardaSenior Software Engineer
Session variables are stored in the server side, therefore the user can't change it.

Most PHP login forms use session variables to store login information, so don't worry, the user can't change the session variable unless you allow them to change specific variables programmatically.

The user can manipulate HTML, javascript variables or the entire javascript code, send UNEXPECTED requests to the server, for example send request to PHP page to delete a database record, but they can't force the server to do anything, the server can either process the request or deny it.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial