I'm primarily a C++ programmer, but I'm trying to pick up some PHP.
Apparently the way to implement web user sessions is to store the user's login ID in a cookie using the $_SESSION variable.
Is it not possible for someone to just modify their cookie, to give them different privileges or log in as a different user?
It seems like this authentication mechanism is just having the user store their ID in a file - and then just trusting them not to change it.
Is there something that prevents this?
Thanks!
Sessions are NOT serverside, they are stored on the clients local machine (you can go in your cookies and look for a cookie called phpssid under your domain name). Yes they can be hacked, and this is in fact a very common method of hacking.
“Is a PHP session secure? PHP sessions are only as secure as your application makes them. PHP sessions will allow the client a pseudorandom string (“session ID”) for them to distinguish themselves with, but on the off chance that the string is intercepted by an attacker, the aggressor can imagine to be that client.
Conversations in Session are secured using client-side E2E encryption. Only the sender and the recipient of a message can read it. But Session goes beyond providing message security. Session also protects the identities of its users.
PHP sessions are only secure as your application makes them. PHP sessions will give the user a pseudorandom string ("session ID") for them to identify themselves with, but if that string is intercepted by an attacker, the attacker can pretend to be that user.
PHP sessions are only secure as your application makes them. PHP sessions will give the user a pseudorandom string ("session ID") for them to identify themselves with, but if that string is intercepted by an attacker, the attacker can pretend to be that user.
This information is taken from "Session Management Basics" in the PHP manual, but simplified a bit. Some things may have been missed. Be sure to read through that as well.
Always use HTTPS
Enable session.use_strict_mode
:
$userId-
)Enable session.use_only_cookies
and disable session.use_trans_sid
Referer
headerPeriodically regenerate the session ID and invalidate old session IDs shortly after regenerating
Optionally keep track of additional information in $_SESSION
that relates to the request (IP address, user agent string, etc)
No, a session is stored on the server and cannot be accessed by the user. It is used to store information across the site such as login sessions.
Here is an example of the usage:
<?php session_start(); if (password_verify($_POST['password'], $hash)) { $_SESSION['auth'] = true; } ?>
The session can then be accessed across the site to check to see if the user has been authenticated.
<?php session_start(); if ($_SESSION['auth']) { echo "You are logged in!"; } ?>
The user cannot edit these values however the session's ID is stored on a computer through a cookie as a long random string. If an unauthorized user gains access to these strings it is possible for them to access the site.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With