Do I need to check session data in ajax request?

Good day experts, please tell me on the website every time we generate a page, you create a query in the database, the token from the cookie is checked the user authorization, if the token matches, then the session stored user data (just to not make global variables). And so on each page.

In General, the question arose, when generating ajax request, in which it is important to obtain reliable data of the user whether to do an additional query to the database? or you can pull out of session? In other words is it possible to tamper with the data session from a browser for example? I.e. whether the user can change the value of session handles, such as cook?
June 10th 19 at 14:27
3 answers
June 10th 19 at 14:29
Try to remember where you stored the session data and then come back to my question.
Well, they are stored on the server, as far as I know, it's just not clear whether it is possible to replace the data for example $_SESSION[ID] when ajax request without knowing PHPSESSID? I mean that in the cookie all just changed the value of $_cookie[user_id] direct through the browser before the request and the server will already have other data. - Anita.Maggio commented on June 10th 19 at 14:32
Something I don't really understand what attack vector you are describing. - Justice.Nienow commented on June 10th 19 at 14:35
June 10th 19 at 14:31
In theory, Yes, another user may tamper the data. But this chance is very tiny, if you for example use 128-bit encryption, which I don't think someone will be picking them up.
Well as to fake? Only if he somehow tampered with the PHPSESSID and I will send a request to the server? - Anita.Maggio commented on June 10th 19 at 14:34
Cookies can be edited manually in the browser without third-party software.
But 128 bit encryption is available 340 282 366 920 938 463 463 374 607 431 768 211 456 variations. I think you know how breaking procedure will be difficult.
Here's the article, read it, you will understand that none of this will not do. - Justice.Nienow commented on June 10th 19 at 14:37
What is 128 bit encryption? Can ka to encrypt the data in session? and then decrypted on the server? - Anita.Maggio commented on June 10th 19 at 14:40
, you are using the default PHPSESSID in php. He creates an encrypted key.
In any case, read these articles: tyk and tyk. - nasir commented on June 10th 19 at 14:43
June 10th 19 at 14:33
To substitute PHPSESSID administrator, you have to know. So don't think that's really - steal the PHPSESSID and his admin time for the current session to use it.
Real, but it is like everything else to steal (cookies, login, password). - Anita.Maggio commented on June 10th 19 at 14:36

Find more questions by tags AJAXPHP