Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Session injection?

Tags:

security

php

session

How should I host the id of the user on the session? just to insert the id? I mean (for example):

$_SESSION['id'] = 1;

There isn't a way to change it by the user himself (as cookie..)? Because if so, he can change to any id.

One more question about it - how can I check if user is logged in (with sessions)? I created a session:

$_SESSION['is_logged_in'] = true;

Again, can't the user just create a session which his name is 'is_logged_in' and his value is true? or just the server has a control about the value of the server?

like image 681
Luis Avatar asked Sep 30 '11 21:09

Luis

People also ask

What is an example of session hijacking?

The most common method of session hijacking is called IP spoofing, when an attacker uses source-routed IP packets to insert commands into an active communication between two nodes on a network and disguise itself as one of the authenticated users.

What is session hijacking?

Session hijacking is a technique used by hackers to gain access to a target's computer or online accounts. In a session hijacking attack, a hacker takes control of a user's browsing session to gain access to their personal information and passwords.

What is session fixation attack?

Session Fixation is an attack that permits an attacker to hijack a valid user session. The attack explores a limitation in the way the web application manages the session ID, more specifically the vulnerable web application.

What are the methods of session hijacking?

There are three primary techniques for hijacking sessions: Brute Force – the attacker tries multiple IDs until successful. Calculate – in many cases, IDs are generated in a non-random manner and can be calculated. Steal – using different types of techniques, the attacker can acquire the Session ID.

1 Answers

All session variables in PHP are stored server side. The client stores a cookie that references which session should be used, and then the server looks up the values for the session. It is safe to store is_logged_in in your session as well as the user id.

What you should be aware of is if another user gets a hold of another user's session cookie, they will be able to imitate that user until the session times out. One simple solution is to link sessions to IPs.

like image 165
xthexder Avatar answered Oct 08 '22 22:10

xthexder
Sign in to Comment

Related questions

Excel output with codeigniter
Protection against XSS exploits?
stripos returns false when special characters is used
Nested Select using Zend Db
shuffle order of images in php
Add events to outlook calendar with php script
php get parent class file path
Identify whether HTTP requests from Android App or not? and then respond appropriately
The advantage / disadvantage of private variables?
PHP, in_array and fast searches (by the end) in arrays
PHP script... goes back in time?
Does echo() Accept numbers?
Not getting anything back from sqlsrv_num_rows
PHP - Class that can be instantiated only by another class
Loading a custom Yii Component
upload_max_filesize - The perfect ubuntu server ISPConfig 3
Creating Discount Code System (MySQL/php)
Sending encoding response in json
Authentication model for Android application
Set timezone of PostgreSQL instance

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!