Is there any scenario where a client/user/hacker can set $_SESSION
variables themselves (excluding malicious software running on a server computer. I mostly mean via the browser)?
The reason I ask is because of this question that I asked a few days ago. Since then I have become pretty confused on the subject, but I've got a better idea of session fixation and hijacking.
To put it as simply as possible, if I validate every page with something like isset($_SESSION['validated'])
, is it secure?
Session variables can be accessed on the client side. For example you could check the value by calling: alert('<%=Session["RegisterId"] %>'); Anything between the "<%" and "%>" runs at the server so it will evaluate the current value of the session.
@George Korac: Yes.
PHP $_SESSION is an associative array that contains all session variables. It is used to set and get session variable values.
Session variables are set with the PHP global variable: $_SESSION.
Yes if you were assigning $_SESSION
variables directly to unfiltered user input.
Which brings me to my point: NEVER TRUST INPUT FROM THE USER. EVER
If indeed you are filtering the input, then I don't see how it could be done.
Yes, it's possible. Read about Session poisoning and another quite common security issue Session fixation on Wikipedia or Google it - the web is full of articles about that.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With