Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is there any security benefit to encrypting session variables? [closed]

Would it prevent, for example, session hijacking? If not, what can I do to make my php sessions secure?

like image 356
Stkbuhk Sajsnl Avatar asked Feb 06 '12 13:02

Stkbuhk Sajsnl


1 Answers

What is sent to the client is a session identifier and not a session variable. These session identifiers are usually set as a cookie in the client. Of course, if anyone gets hold of the session identifier (for example, by using cross site scripting attack) from the user's browser or client, he can set the session identifier in his own client and impersonate as the other user.

Session variables, however, usually refer to the values in $_SESSION array. See http://www.php.net/manual/en/function.session-start.php for an example. These values are never sent over the network to the client.

As far as protecting session identifiers is concerned, I have already explained in the first paragraph that they are stored as cookies in the browser. In an HTTP session, the cookies are transmitted between the server and client in cleartext. This is vulnerable to eavesdropping (for example, a guy on a router through which your packets pass could capture your packets and read the session identifier from it). The best way to overcome this problem is to use HTTPS instead.

like image 162
Susam Pal Avatar answered Sep 21 '22 07:09

Susam Pal