session variables
Moderator: General Moderators
session variables
hey!
just wondering if it is at all possible for one user to change alter another user's session variables knowing what their session id is. i've got a big crazy experiment i want to try, but i need to be able to do this. but basically, when a user logs on, their session id will get stored into a database, and another user of another session can grab the session id and change a variable pertaining to that session id? possible? please say yes, and if it's no, please explain, cause i'm really thinking this is possible, but i could be horribly wrong. if i can get this to work, the world is mine!!
thanks all!
x
just wondering if it is at all possible for one user to change alter another user's session variables knowing what their session id is. i've got a big crazy experiment i want to try, but i need to be able to do this. but basically, when a user logs on, their session id will get stored into a database, and another user of another session can grab the session id and change a variable pertaining to that session id? possible? please say yes, and if it's no, please explain, cause i'm really thinking this is possible, but i could be horribly wrong. if i can get this to work, the world is mine!!
thanks all!
x
I'm no expert but if all you need to hijack a session is the session id a possible solution would be to get more info from the client that can be used to help verify the session. You could use stuff like, user agent string, ip address etc. Then if someone tries to hijack the session some of the info will not match and you can take action.
u make it seems stealing a session ID is a piece of cake.d_d wrote:I'm no expert but if all you need to hijack a session is the session id a possible solution would be to get more info from the client that can be used to help verify the session. You could use stuff like, user agent string, ip address etc. Then if someone tries to hijack the session some of the info will not match and you can take action.
- feyd
- Neighborhood Spidermoddy
- Posts: 31559
- Joined: Mon Mar 29, 2004 3:24 pm
- Location: Bothell, Washington, USA
php allows hijacking of sessions, as that's not apart of its core. Disallowing the hijacking of a session can be challenging.. for many reasons: their IP may change throughout the session, their IP may be a router/proxy where many users are behind the same unit.. The agent string isn't very unique, and would use a lot of space in a database unless you stored off the uniques and referred to their id numbers, but even then, you'll see the same useragent quite often. Turning off trans_id can help, however, this breaks all users without cookies.. so it's heavily dependant on the restrictions you want to set up.
You can add additional authentication like fairly long cookie/url values as hashes.. or uniquely hashing the username and password in some fashion, although you'd best use a REAL good encyption/hash for it, so it's a huge waste of time to try to break.
You can add additional authentication like fairly long cookie/url values as hashes.. or uniquely hashing the username and password in some fashion, although you'd best use a REAL good encyption/hash for it, so it's a huge waste of time to try to break.