Is there any (known) way for end users to edit a Laravel session variable?
Is the session of Laravel secure? With Laravel, you can encrypt data with AES-256 and AES-128 using the OpenSSL library. Laravel uses a Message Authentication Code (MAC) to ensure that encrypted values cannot be modified by unauthorized and unwanted parties.
By default, session variables are created with the secure flag set to true. If any secure variables are saved to the database, you must type your password, which is used as the encryption key.
Yes they can be hacked, and this is in fact a very common method of hacking. Someone will hack into the session, then play around with the values of the session variables and try to find one that gives them administrator status or what not.
“Is a PHP session secure? PHP sessions are only as secure as your application makes them. PHP sessions will allow the client a pseudorandom string (“session ID”) for them to distinguish themselves with, but on the off chance that the string is intercepted by an attacker, the aggressor can imagine to be that client.
Is there any (known) way for end users to edit a Laravel 4 session variable?
Yes there is, but only if you go out of your way to make it possible. The steps required are:
If you do these ill-advised steps, in addition to allowing users to overwrite session data, this is a risk for PHP object injection via unserialize()
.
Advice: If you are going to store session state in a cookie, make sure it's wrapped in authenticated encryption. Laravel's encryption library employs authenticated encryption (Encrypt then MAC), and the sessions use this by default.
As for the other drivers, that depends on your network topology. If your database is on another server and your attacker can impersonate the web server, they can put whatever they want in the database.
Last I checked, Laravel defaults to encrypt session data (unless you disable encryption). Unless your database is on the same host as the webserver, leave it turned on.
They would have to run code (something like Session::put('key', 'value');
) on your server.. or take advantage of possible vulnerabilities on your application.
If you're using the Session carefully on your side (validation, etc.) it should remain the same unless you update it.
More on Laravel's Session here: http://laravel.com/docs/4.2/session
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With