Users can neither read nor write to the session (even cookie based sessions, which are encrypted), so it is "safe" in that regard. Of course, we don't know what your app code is writing to the session -- if you take user input and write it to the session, then it may not be safe.
Anthony On Thursday, June 6, 2019 at 10:11:19 PM UTC-4, Vlad wrote: > > I don't really understand how it works internally, so wondering if it's > safe to rely on a value stored as a session storage variable. > More specifically, I am authorizing one user to do certain actions on > behalf of another user, and the currently assumed user is stored in > session.user (even if auth.user_id is somebody else). > If somebody can hack session and change the value of session.user - it > would be potentially dangerous situation, so if it's not safe - I would > have to figure out something else.It's just easy and tempting to use some > variables in a session. > Any ideas on how safe it is? > > p.s. I don't care if somebody can read it - my only concern is that they > shouldn't be able to overwrite it, because this would give them authority > to perform certain actions. > -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/web2py/dcdff220-c9dd-4273-9b4f-028fe56b0489%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
