Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is it possible for a malicious user to edit $_SESSION?

Tags:

php

session

I save some important info in $_SESSION, not in $_COOKIE. So, my question, is it dangerous? Or is it protected from malicious users trying to edit it and I'm fine? Thank you.

By the way, is it possible also to edit $_COOKIE? I heard yes, but if yes, then how?

like image 591
good_evening Avatar asked Dec 29 '09 20:12

good_evening


2 Answers

$_SESSION is stored server-side. The best a hacker could do would be substitute another user's session for the existing session, but the hacker could not insert arbitrary data into $_SESSION. $_COOKIE is, however, stored client-side, so a hacker can insert arbitrary data into the cookie, by just editing the cookie.

like image 194
Mike Avatar answered Oct 15 '22 14:10

Mike


By default, the $_SESSION is already backed by a cookie with the name phpsessionid (so that the server is able to identify the client and associate it with one of the sessions in server's memory). If a hacker knows the cookie value of someone else and copies it in its own cookie with the same name on the same domain/path, then the hacker has access to the same $_SESSION. The cookie value is however long and random enough to minimize the risks the session being hijacked within half a hour (the default session timeout).

like image 37
BalusC Avatar answered Oct 15 '22 15:10

BalusC