Session variable security

Am I correct in saying that session variables are unique for the browsers session.
I was just wondering if I use a session variable called “isloggedin” to verify if a user is logged in then is it possible that someone could create a variable with the same name on the same browser to fool the check?

The easy answer is NO to can a person set a variable. We can dive a bit deeper:

  1. Sessions are stored server side and can only be managed by a CFML script.
  2. A user is tied to those sessions typically by a client cookies that Lucee sets per user session.
  3. The client cookies are CFID & CFTOKEN ( Maybe 1 more? ).

So there is no way for a user to set a variable. Now the thing is that you probably should consider approaching your login logic in a different way … but that is for a different thread!

1 Like

As mentioned, the variables themselves are not stored in the browser, but on the server. The browser only holds the session identifier cookie that uniquely identifies it to the server. This is in the same manner that your bank account number uniquely identifies you to the bank, Just because you have your bank account number, doesn’t mean you can magically put 1 million dollars in your bank account. All it means is you can perform valid operations on that account (or session in this case).

A session hijacking attack where a malicious user finds out your secret session cookie is the equivalent to a hacker getting your bank account number.

1 Like

Thanks that’s all very helpful , briefly can you point me to a better login security method? is the start page of a security guide that includes code security features such as encryption, obfuscation, authentication and session management. is an example application (using fw/1) that implements the techniques discussed on CFDocs (and much more!). Even if not using fw/1 it’s a good starting point for reusable code (see the SecurityService.cfc, for example).


– Denny

1 Like