Can an attacker change the value of a variable in a yii2 session?

D

del9937882017-01-04 14:01:14

Yii

del993788, 2017-01-04 14:01:14

Hello. My online store is built on sessions. I add a product to the cart - a session is created, and the data is written there. Here I have a question: can an attacker change the value of a session variable, for example, "order amount" to his own? That is, he added several goods to his cart, the total amount went to 1000 rubles, and then he took and changed the value of the amount by 1 ruble in the session.
The session records data that is taken from the database, but then they, the sessions, do not interact with the database in any way, they live separately.
Tell me, am I wrong somewhere?

Reply

Answer the question

In order to leave comments, you need to log in

3 answer(s)

Z

Zakhar Storozhuk, 2017-01-05
@del993788

sessions - are stored on the server.
cookies - are stored on the client.
Vryatli will be able to change the session. But the logic is not built correctly, you should only store the product id and quantity in the session. And at purchase - to affect the data from a DB.
What if a person adds a product to the cart, and you change the price, then he will buy the old one?)

D

dev400, 2017-01-04
@dev400

Store the product ID and quantity in the session, and when ordering, select the price from the database. Let him change, you can even keep the basket on the client with this approach.

J

Jony1337, 2017-01-04
@Jony1337

Put it all in the database.
Let's say there is Vasya, for example, his id is 7477545, he added 4 goods to the cart in the amount of 1k rubles. You enter all this into the database, if he changed his mind about buying and removed them from the basket, simply delete the entries, if you added something else, the entries in the database are edited.
What's wrong with this implementation sir?