Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

What are the risks of PHP sessions?

Tags:

security

php

session

So everyone says that sessions have security risks, I want to know what kind of risks are these? What can hackers do with sessions?

This is not about knowing how to avoid attacks, I want to know how hackers are doing it, and what are they doing.

I talk about PHP SESSIONS.

like image 314
Adam Halasz Avatar asked Jul 11 '10 19:07

Adam Halasz

People also ask

Are PHP sessions safe?

“Is a PHP session secure? PHP sessions are only as secure as your application makes them. PHP sessions will allow the client a pseudorandom string (“session ID”) for them to distinguish themselves with, but on the off chance that the string is intercepted by an attacker, the aggressor can imagine to be that client.

Can PHP sessions be hacked?

Sessions are NOT serverside, they are stored on the clients local machine (you can go in your cookies and look for a cookie called phpssid under your domain name). Yes they can be hacked, and this is in fact a very common method of hacking.

Can sessions be hacked?

After a user starts a session such as logging into a banking website, an attacker can hijack it. In order to hijack a session, the attacker needs to have substantial knowledge of the user's cookie session. Although any session can be hacked, it is more common in browser sessions on web applications.

2 Answers

The answer by sAc is very good. However, don't rule out "sessions" because of this.

I've successfully deployed custom sessions which, among other things, fixes hijacking, password reversal (md5/rainbow) and (if used correctly) session fixation.

By "successfully deployed" I mean passing penetration testing and (of course) actually being better than the traditional.

There is no "secret" or obscure security; basically, it generates a random (and database-wise unique) number (actually, a guid in my case) per user account and stores the guid+username as the normal method (instead of username+hashed/salted password). Next, it binds this guid with the user's ip address. Not infallible, but using a guid and per-ip already is an improvement over the current session system. Of course, there are flaws which open up after specific targeting (such as ip spoofing+the hijacked guid and username). But in general, it's a way better alternative.

like image 21
Christian Avatar answered Oct 02 '22 05:10

Christian

Mainly here are the risks:

  • Session hijacking
  • Session fixation

Consider using OWASP to do against it.

Also have a look at:

PHP Security Guide

like image 93
Sarfraz Avatar answered Oct 02 '22 05:10

Sarfraz
Sign in to Comment

Related questions

Get current controller and action id in Yii
strtolower() on an array
Get the date of one week from today
PHP unserialize fails with non-encoded characters?
Why is it whenever I use scandir() I receive periods at the beginning of the array?
php: converting number to alphabet and vice versa
PHP - Adding divs to a foreach loop every 4 times [duplicate]
How to enable and use HTTP PUT and DELETE with Apache2 and PHP?
How do I customize NetBeans PHP auto DocBlock for methods and attributes?
Download in browser with ajax request
Ways to create a unique user fingerprint in PHP
How are people handling content management system production staging?
Hashing a session fingerprint really necessary?
How does a class extension or Interface work?
Getting a PDO query string with bound parameters without executing it
understanding php curl_multi_exec
How do one use ACL to filter a list of domain-objects according to a certain user's permissions (e.g. EDIT)?
SQL Infinite Calendar Pattern
Asynchronous processing or message queues in PHP (CakePHP) [closed]
Simple comet example using php and jquery

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!