SitePoint Sponsor

User Tag List

Results 1 to 5 of 5
  1. #1
    SitePoint Enthusiast
    Join Date
    Oct 2006
    Posts
    98
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    How secure are session variables?

    I was designing a login system and I was wondering at the possibility of using session variable for it.

    Specifically I wanted to know,

    1) I wanna know if it's possible for a client to read the session variables set by the site ?

    2) Is it possible for the user to modify the session variables?

    I mean session variables such as $_SESSION["SOMETHING"]

    Awaiting replies,
    Thanking You,
    Dhaval

  2. #2
    Non-Member
    Join Date
    Apr 2006
    Location
    Scotland
    Posts
    325
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    1) Yes
    2) Yes

    Now I know I'm about to get ranted at and called stupid but think about it. Sessions are sent to the browser (or the session id is - which is enough to do some messing around). With the open-ness of broswer code (eg firefox is open source) surely someone could make their own browser which lets them change session id or variables?

    Seems possible to me

  3. #3
    SitePoint Addict
    Join Date
    Mar 2005
    Posts
    251
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by mikexx2020 View Post
    1) Yes
    2) Yes

    Now I know I'm about to get ranted at and called stupid but think about it. Sessions are sent to the browser (or the session id is - which is enough to do some messing around). With the open-ness of broswer code (eg firefox is open source) surely someone could make their own browser which lets them change session id or variables?

    Seems possible to me
    Well since you suggested it ;-)

    When you start a session, all that's stored on the client computer is an id. It is usually called PHPSESSID and has a long number as a value, view your cookies and you'll no doubt see some examples.

    All your session variables are actually stored on the server. If you know what your session storage path is on your server you will find a file for each session which has the same file name as the session id stored in the users cookie.

    So session variables are as secure as your server, since someone would have to open your session files on your server to change the values.

  4. #4
    Non-Member
    Join Date
    Jan 2003
    Posts
    5,748
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    > since someone would have to open your session files on your server to change the values.

    Seams impossible I know, but... A lot of people use shared hosting, myself included at some point in my life; My advice is to put your session data into a database, as it justs makes a whole lot more difficult for someone to get to it.

    Also think about using a different name for your sessions, other than the default PHPSESSID. Also regenerate your session id on each request, to help avoid fixation.

  5. #5
    SitePoint Enthusiast
    Join Date
    Oct 2006
    Posts
    98
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    haa....this is good news.

    Thanks for the replies.

    hmm...change the name of the sessions. Googling it now.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •