Is php session unchangeable from user end? [duplicate]

Question

I am developing my own application which requires user login. All users and passwords (encrypted) are stored in a database. When a user tries to login, then it search in the database the username and password. If all is ok, then I store username in $_SESSION["username"], user role (admin, author etc) in $_SESSION["role"] and user website in $_SESSION["website"] (I need website to be stored because the application is like "multisite" - my applicaton is hosted on client hosting but the administration is on my server).

I read this Can a user alter the value of $_SESSION in PHP? and I don't understand. Is this method secure (of storing data and if user is logged in) in a $_SESSION?

Can the user change the session content? (for example, if user is logged in and $_SESSION["website"] is "example.com", can the user change the session $_SESSION["website"] to "example.org" to ruin another website? If yes, how to avoid or what's the secure alternative of session?).

And please tell me what is session hijacking and how can this affect my site and also, how to make session_id dinamically to change?

Thank you so much!

Answer 1

$_SESSION is saved in the server, so the user cannot modify it ( Except the case of session hijacking)

Answer 2

Session() is server side as @kd0807 noted. For more info on Session Hijacking && Fixation:

• http://phpsec.org/projects/guide/4.html
• http://php.net/manual/en/session.security.php

Side note... With the amount of variables I recommend an array for session['user']. example....

$_SESSION['user'] => Array(
'userid'=> '123',
'username'=> 'some_joe',
'role' => 'customer', // user, customer, admin, moderator etc.
'website' => 'http://www.example.com'
);

// reading variables from array
$userid = $_SESSION['user']['userid'];
$username = $_SESSION['user']['username'];
// etc. etc.

Here are 3 very simplified functions I use.

// determine if session has started
Function HasSessionStarted() {

    $result = false; // default to false

    // Check if session has started
    IF ((session_status() == PHP_SESSION_NONE) || (session_id() == '')) { 
        $result = true; 
    }

    return $result;

}

// Set a session value
Function Set_Session($name, $value) {
    /* @params value: can be a string or an array */
    $new_session = HasSessionStarted(); // Check Session Status

    IF ((isset($name)) && (isset($value))) {
        IF ($new_session) { session_start(); }
        $_SESSION[$name] = $value;
        IF ($new_session) { session_write_close(); }
    }

}

Function Unset_Session($name) {

    $new_session = HasSessionStarted(); // Check Session Status

    IF (isset($_SESSION[$name])) {
        IF ($new_session) { session_start(); }
        unset($_SESSION[$name]);
        IF ($new_session) { session_write_close(); }
    }

}

Answer 3

There is a cookie stored in the browser usually PHPSESSID which identifies which server session the user is using. If a user were able to steal it (this usually happens through XSS vulnerabilities) the user could potentially take control of another users session.

The session data itself is stored on the server and could only be modified if a user were somehow able to upload and execute a malicious script in the server

Answer 4

No, Until and unless the php code itself reveals the PHP session, which can be used to session stealing, and the session could not be changed from the user end until and unless the there is some functionality given by you yourself to change the session from the front end.