NetTalk Central

Author Topic: Security Question: Session Values  (Read 3653 times)

rupertvz

  • Sr. Member
  • ****
  • Posts: 326
    • View Profile
    • Email
Security Question: Session Values
« on: August 07, 2017, 01:41:39 AM »
Hi Guys,

How secure are session variables / values?

Are these running on the server side, or would a browser be able to reveal the contents?


Bruce

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 11250
    • View Profile
Re: Security Question: Session Values
« Reply #1 on: August 07, 2017, 09:46:38 PM »
So within a specific session I would not describe them as "secure".
In other words there is no specific goal to prevent a user from seeing their own session values.

That said, they're not easy to inspect - offhand I can't think of any overt ways to do it - but making them "secret" to the user has not been a goal. (In the absence of security goals, one should assume they are insecure.)

However I'm pretty sure one user would not be able to access the session values for another user (assuming the site is secure with TLS of course.)

Cheers
Bruce