how safe is it to rely on a value stored as a session variable?

[Vlad]

I don't really understand how it works internally, so wondering if it's safe to rely on a value stored as a session storage variable. 

More specifically, I am authorizing one user to do certain actions on behalf of another user, and the currently assumed user is stored in session.user (even if auth.user_id is somebody else). 

If somebody can hack session and change the value of session.user - it would be potentially dangerous situation, so if it's not safe - I would have to figure out something else.It's just easy and tempting to use some variables in a session. 

Any ideas on how safe it is? 

p.s. I don't care if somebody can read it - my only concern is that they shouldn't be able to overwrite it, because this would give them authority to perform certain actions.

[Anthony]

Users can neither read nor write to the session (even cookie based sessions, which are encrypted), so it is "safe" in that regard. Of course, we don't know what your app code is writing to the session -- if you take user input and write it to the session, then it may not be safe.

Anthony

[Eliezer (Vlad) Tseytkin]

Thank you!

--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to a topic in the Google Groups "web2py-users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/web2py/bE9rZb_MHkI/unsubscribe.
To unsubscribe from this group and all its topics, send an email to web2py+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/web2py/dcdff220-c9dd-4273-9b4f-028fe56b0489%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.