I am currently doing a website in php, we are using a Session variable to store the permission level of each user.

For example, if any one of you would go on the website, you would automatically get a session variable with a value of "member".

What I am asking is: Is it possible for an attacker to go on the website and modify the value of the session variable for "admin" instead of "member"

I am not asking how, just if it is possible, and if so what kind of special access would the attacker would need (ex: access to the code, ....)

I have an alternative solution, which would be to replace the permission value with a token that would expire over time.

The second solution is way longer to implement.

Thanks for your help!

No, unless:

• The attacker had access to the storage of the session variables (usually the filesystem of the server, but could also be e.g. a database)
• The attacker intercepted a session cookie of a more privileged user.
• The attacker successful fixated the session of a more privileged user (see session fixation attacks).

From what you've described I assume you aren't storing the permission in a cookie. Therefore, the only way they could get access would be to guess/brute force an administrators session id or use some cross-site scripting attack. If your session id's are sufficiently long the first method would be very hard to accomplish.

The higher risk comes from an attacker stealing an active session, you can find about it here:

• http://samy.pl/
• http://samy.pl/phpwn/

Your session variables should be safe because the session is stored on the server. However, in order to relate a specific client with a specific session, a cookie is usually set that contains a session ID, and an attacker could try to access a different user's session by munging their session ID cookie (either by brute force or by somehow capturing someone else's cookie).

It depends on how you are storing the session. If it is in the URL, then yes. If it is in a cookie, then maybe.

Unless there's a security flaw in your app, someone can't just up and change session variables -- those are stored on the server, and the client never has direct access to them.

What they can do, however, is change their session ID by going to a URL like http://your.site.com/?PHPSESSID=2342f24502ade525 . The potential for abuse there is twofold: (1) if they happened to know a logged-in user's session ID somehow, the session ID would let them impersonate that user, giving them all the access that user has; and (2) If they can trick someone into going to a URL that has a session ID attached, and that person logs in, they now know that user's session ID (because they provided it!), and we're back to (1).