SitePoint Sponsor

User Tag List

Results 1 to 5 of 5

Thread: Session security

  1. Jan 11, 2007 17:30 #1
    triexa
    triexa is offline
    SitePoint Wizard triexa's Avatar
    Join Date
    Dec 2002
    Location
    Canada
    Posts
    2,476
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Session security

    If I wanted to store all my user info in a session rather than fetching it through MySQL on every page load, is it still safe?

    I have this in htaccess:
    php_value session.cookie_domain .MYDOMAIN.COM

    Soo... is it stored in a session on the server or a cookie?

    Basically, if I were to say $_SESSION['access_level'] = 5, is there some way they could manipulate the value and give themselves a higher access level?
    AskItOnline.com - Need answers? Ask it online.
    Create powerful online surveys with ease in minutes!
    Sign up for your FREE account today!
    Follow us on Twitter
  2. Jan 11, 2007 17:43 #2
    kromey
    kromey is offline
    Worship the Krome kromey's Avatar
    Join Date
    Sep 2006
    Location
    Fairbanks, AK
    Posts
    1,618
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    An identifier is stored in a cookie, but everything you store in session variables ($_SESSION) is stored server side, and is "safe".

    Google "session hijacking", however.
    PHP questions? RTFM
    MySQL questions? RTFM
  3. Jan 11, 2007 17:46 #3
    clamcrusher
    clamcrusher is offline
    SitePoint Wizard silver trophy
    Join Date
    Mar 2006
    Posts
    6,132
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    by default, session data is stored to files. most shared webhosts have the default setup where all session files are stored in the same dir. so your session files live with the files of all the other accounts/websites on the same server. so anyone can read/write anyones session files.

    consider that while maybe the owners of these other accounts on the server may not have malacious intents, security holes in thier scripts may allow someone to gain the ability to execute php code on the server. now a malacious user has access.

    aside from this server side aspect, your code would need a security hole in it to allow a website visitor to change session variables. a common example would include blindly putting user supplied key/value pairs into the $_SESSION array, or allowing code to be executed.

    remember that when register_globals = On,
    $_SESSION['access_level'] and $access_level are essentially the same variable, so if you allowed $access_level to be assigned a value in your script, it would also change the session superglobal.
    1
  4. Jan 11, 2007 22:04 #4
    triexa
    triexa is offline
    SitePoint Wizard triexa's Avatar
    Join Date
    Dec 2002
    Location
    Canada
    Posts
    2,476
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I do a lot of work on some pages with javascript as well.

    1) Can it access the same session information or is it simply not possible?
    2) Say I were to put "accountLevel = 5;" inside a <script> in my header file. This is EASILY changed through "javascript:accountLevel = 10" in the address bar. What can I do to combat this or do some other method?
    AskItOnline.com - Need answers? Ask it online.
    Create powerful online surveys with ease in minutes!
    Sign up for your FREE account today!
    Follow us on Twitter
  5. Jan 11, 2007 22:14 #5
    clamcrusher
    clamcrusher is offline
    SitePoint Wizard silver trophy
    Join Date
    Mar 2006
    Posts
    6,132
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    javascript can access the session id, nothing more unless you provide a means for it.
    1
« Previous Thread | Next Thread »

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules