I have a site that only allows access over SSL. When a user logs into the site, the site checks to see whether he/she is a superuser. The way its currently implemented, it is stored as $_SESSION['is_superuser']
The alternative that I can see is to query the users table in the database whenever I need to test this using $_SESSION['username'] as the identifier.
I guess what I'm wondering is whether it is safe to leave the superuser flag in the session rather than on the db. Is it possible--even remotely possible--for an enduser to tamper with their cookie on their machine and change this? (For the purposes of this question, assume that I'm not concerned about someone hacking into the web or db server and making the change).
Here is what I am figuring as of right now. Looking at the cookies stored after login, I only see:
PHPSESSID => 27aafc7df0f7a3c0241b3d9d4f467bd4f
I am assuming that that Session ID tells PHP where the session state is located on the web server (php/sessiondata?). If I understand correctly, tampering with PHPSESSID would only be a threat if the user coincidentally stumbled on another active session's ID with higher privileges. Given that the sessions expire after 15 minutes, I would say the probability of it happening makes it a non-issue.
Am I missing anything here? Is there anything in PHP.INI that might change this behavior if I release the application to the public and/or relocate it between servers w/different configurations? Does anyone know of a better/safer way to accomplish this? Does the HTTPS/SSL play any role in this (i.e., encrypting the PHPSESSID cookie?)?
Thanks,
Scott
