session variables

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
sicksound
Forum Newbie
Posts: 4
Joined: Sun Oct 10, 2004 6:31 pm

session variables

Post by sicksound »

hey!

just wondering if it is at all possible for one user to change alter another user's session variables knowing what their session id is. i've got a big crazy experiment i want to try, but i need to be able to do this. but basically, when a user logs on, their session id will get stored into a database, and another user of another session can grab the session id and change a variable pertaining to that session id? possible? please say yes, and if it's no, please explain, cause i'm really thinking this is possible, but i could be horribly wrong. if i can get this to work, the world is mine!!

thanks all!
x
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

why not try it?


possible
User avatar
patrikG
DevNet Master
Posts: 4235
Joined: Thu Aug 15, 2002 5:53 am
Location: Sussex, UK

Post by patrikG »

If the world could be yours and you only lack the courage to do it: just do it.
sicksound
Forum Newbie
Posts: 4
Joined: Sun Oct 10, 2004 6:31 pm

Post by sicksound »

haha, true, you are both right.

the only problem is that i have no idea how to do it?

how do i change a session variable that is not of my own session, by using the session id? like what would the syntax be?

thanks!
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

I'm not going to tell you how to hijack a session.
sicksound
Forum Newbie
Posts: 4
Joined: Sun Oct 10, 2004 6:31 pm

Post by sicksound »

crap.. but it's not for illegal or mischevious use. it's only happen on my server, done by me. can you relate me to a place where i can find out how to do so?

thanks!
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

I don't care if it's for the President.

you already walked through the basics of it in your original post.
sicksound
Forum Newbie
Posts: 4
Joined: Sun Oct 10, 2004 6:31 pm

Post by sicksound »

ok i will do my research. i know i walked through the basics, and i know what the concept may be, but i reaslly have no idea where to start. i'll look though..
User avatar
phpScott
DevNet Resident
Posts: 1206
Joined: Wed Oct 09, 2002 6:51 pm
Location: Keele, U.K.

Post by phpScott »

supposedly then feyd if you know how to hijack a session you know how to stop it, right?
How about helping us then who want to stop our sessions from being hijacked?

Move to new post if you wish?

thanks
d_d
Forum Commoner
Posts: 33
Joined: Wed Jul 07, 2004 4:56 pm
Location: UK

Post by d_d »

I'm no expert but if all you need to hijack a session is the session id a possible solution would be to get more info from the client that can be used to help verify the session. You could use stuff like, user agent string, ip address etc. Then if someone tries to hijack the session some of the info will not match and you can take action.
User avatar
tim
DevNet Resident
Posts: 1165
Joined: Thu Feb 12, 2004 7:19 pm
Location: ohio

Post by tim »

d_d wrote:I'm no expert but if all you need to hijack a session is the session id a possible solution would be to get more info from the client that can be used to help verify the session. You could use stuff like, user agent string, ip address etc. Then if someone tries to hijack the session some of the info will not match and you can take action.
u make it seems stealing a session ID is a piece of cake.

8O
nincha
Forum Contributor
Posts: 191
Joined: Fri Mar 28, 2003 12:30 pm
Location: CA, USA

Post by nincha »

quite sure interrupting anothers session using the id is possible, anything is possbile right?? but the real question is -- does php compiler provide such a thing?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

php allows hijacking of sessions, as that's not apart of its core. Disallowing the hijacking of a session can be challenging.. for many reasons: their IP may change throughout the session, their IP may be a router/proxy where many users are behind the same unit.. The agent string isn't very unique, and would use a lot of space in a database unless you stored off the uniques and referred to their id numbers, but even then, you'll see the same useragent quite often. Turning off trans_id can help, however, this breaks all users without cookies.. so it's heavily dependant on the restrictions you want to set up.

You can add additional authentication like fairly long cookie/url values as hashes.. or uniquely hashing the username and password in some fashion, although you'd best use a REAL good encyption/hash for it, so it's a huge waste of time to try to break.
Post Reply