is $_SESSION safe???

[trapach]

hi, all.

just wondering if $_SESSION is safe, or can it be manipulated by hackers?

I got this login script that sanitizes input very well, then if it's clean I save everything inside $_SESSION vars.

now, as a security-conscious programmer, can I really trust what's coming from the $_SESSION array or can it be manipulated by hackers as well?

thanks for any thought!!!!

[logic_earth]

$_SESSION data is stored on the server, it can only be manipulated by your program or in some cases by another site on the same server.

The Session ID can however be manipulated.

[zombat]

In a typical PHP isntallation, $_SESSION is fairly safe. The default set-up is to store session data (ie the data in $_SESSION) inside a temporary file. You can check how your sessions are configured by examining the php.ini file. Generally you'll find this:

session.save_handler = files
session.save_path = "/tmp"
session.use_cookies = 1

There's a bunch of other options, but these cover the basics. With this set up, all your session data gets written to files in the /tmp dir. The files are named /tmp/sess_SESSIONID, and are basically a serialized PHP array. When you do a session_start(), it checks the user's cookie that got passed in and loads the data from the temporary file back into $_SESSION.

If your /tmp directory is locally secure (on the server), it's a reasonably secure process. The main vector of attack would be to hijack/guess a session id, but these are generated randomly and have short lifetimes (another php.ini option by the way).

[trapach]

thanks for you replies!

so I guess any value inside $_SESSION can be treated as safe, that's good news for me