Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Can a user alter the value of $_SESSION in PHP?

Tags:

php

session

this is crossing my mind and I'm wondering if it is possible, how secure can it be to store info in the $_SESSION variable of PHP?

like image 981
Castro Roy Avatar asked Feb 25 '11 19:02

Castro Roy


People also ask

Can user edit PHP session?

A user cannot modify PHP sessions on the server. They can only forge a legitimate cookie and masquerade as a logged-in user - but that will require them to steal a valid cookie in the first place.

How do I change the value of a session variable?

You need to call session_start before you check if $_SESSION['can'] has a value. You also do not need to destroy and create a new session just to change a value. <? php session_start(); if (isset($_SESSION['can'])) { $_SESSION['can'] = 2; } else { $_SESSION['can'] = 1; } header('Location: '.

Can the client access session variables?

Session variables can be accessed on the client side. For example you could check the value by calling: alert('<%=Session["RegisterId"] %>'); Anything between the "<%" and "%>" runs at the server so it will evaluate the current value of the session.

Can users change cookie value?

Cookies are in control of the user. Anyone can add, delete, or alter the value of any cookie.


2 Answers

Storing variables in the $_SESSION variable has two potentials for "insecurity".

  • The first as described by the other answer is called "session fixation". The idea here is that since the session ID is stored in a cookie, the ID can be changed to that of another user's. This is not a problem if a user gets a new ID every single session therefore making it very difficult to find an ID of a currently working session and hijack it.
  • The second depends entirely on your code. If your code leaks the values of the secret information you store in $_SESSION then it is insecure. If your code allows the user to control the values of that information it is insecure. Otherwise if something is in the $_SESSION variable and your code never allows the user to see it or write to it then it is secure.
like image 112
YoriKv Avatar answered Oct 07 '22 19:10

YoriKv


PHP Session's work by storing a PHPSESSID cookie on the end user's computer that acts as an access key for server-based session information. That cookie value is a hashed string (the security of which depends on your PHP settings) that is used to link the particular browser to the specific session values you set.

That string looks something like b420803490a9f0fe8d6a80657fec3160. So, the end user could alter that string, but then their session will become invalid, since it almost certainly won't match one that's being stored by PHP, and they won't have access to data.

There is a risk, as others have mentioned, that someone's PHPSESSID become exposed, and people use that to hijack someone else's session.

like image 45
Yahel Avatar answered Oct 07 '22 19:10

Yahel