Should I double check session data?

Ravenous

My gut assumption is 'yes' 'cause it always pays to be twice as sure. I guess it boils down to whether malicious users can inject/modify session data. If that's possible, the yes.. I need to double check. If it's not possible, why should I bother?

So the question is, is it possible to modify/inject data into a PHP session without access to the scripts themselves?

Drakla

Only if they've got access to the files on the server, plus the appropriate session id. I honestly wouldn't bother - if they've hacked you that far it's the least of your worries.