SitePoint Sponsor

User Tag List

Results 1 to 4 of 4
  1. #1
    SitePoint Zealot
    Join Date
    Mar 2008
    Location
    Asheville, NC
    Posts
    183
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Question is $_SESSION safe???

    hi, all.

    just wondering if $_SESSION is safe, or can it be manipulated by hackers?

    I got this login script that sanitizes input very well, then if it's clean I save everything inside $_SESSION vars.

    now, as a security-conscious programmer, can I really trust what's coming from the $_SESSION array or can it be manipulated by hackers as well?

    thanks for any thought!!!!

  2. #2
    . shoooo... silver trophy logic_earth's Avatar
    Join Date
    Oct 2005
    Location
    CA
    Posts
    9,013
    Mentioned
    8 Post(s)
    Tagged
    0 Thread(s)
    $_SESSION data is stored on the server, it can only be manipulated by your program or in some cases by another site on the same server.

    The Session ID can however be manipulated.
    Logic without the fatal effects.
    All code snippets are licensed under WTFPL.


  3. #3
    SitePoint Enthusiast zombat's Avatar
    Join Date
    Jun 2008
    Location
    Victoria, BC
    Posts
    63
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    In a typical PHP isntallation, $_SESSION is fairly safe. The default set-up is to store session data (ie the data in $_SESSION) inside a temporary file. You can check how your sessions are configured by examining the php.ini file. Generally you'll find this:

    session.save_handler = files
    session.save_path = "/tmp"
    session.use_cookies = 1

    There's a bunch of other options, but these cover the basics. With this set up, all your session data gets written to files in the /tmp dir. The files are named /tmp/sess_SESSIONID, and are basically a serialized PHP array. When you do a session_start(), it checks the user's cookie that got passed in and loads the data from the temporary file back into $_SESSION.

    If your /tmp directory is locally secure (on the server), it's a reasonably secure process. The main vector of attack would be to hijack/guess a session id, but these are generated randomly and have short lifetimes (another php.ini option by the way).
    PHP/MySQL programmer for hire!
    http://www.zombat.net

  4. #4
    SitePoint Zealot
    Join Date
    Mar 2008
    Location
    Asheville, NC
    Posts
    183
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    thanks for you replies!

    so I guess any value inside $_SESSION can be treated as safe, that's good news for me


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •