Encrypt Session Vars?

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
Todd_Z
Forum Regular
Posts: 708
Joined: Thu Nov 25, 2004 9:53 pm
Location: U Michigan

Encrypt Session Vars?

Post by Todd_Z »

How important is it to encrypt the session variables? I just have one: and it stores the user id number, so theoretically if someone altered this value, there would be zero security... What should i do about that?
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

Encryption doesn't protect variables from tampering: signing does that.

I don't think that this should be too big a problem. You should store more information such as when the last access was, etc, but in order to tamper with the session variable, they'd have to have physical access (and if they have physical access, you have much bigger problems). It's simply not worth the hassle.

However, making sure sessions don't fall into the wrong hands is a different problem altogether...
User avatar
Todd_Z
Forum Regular
Posts: 708
Joined: Thu Nov 25, 2004 9:53 pm
Location: U Michigan

Post by Todd_Z »

Well its VERY easy to figure out which session id is assigned to which user - for example, to see a user's profile, you go to /Profile/XXXX/ - so theres no security. So basically, if someone wants to be granted access to all of the functions and abilities of a user, they could theoretically change the session var to the id, and security goes flying out the window.
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

I think you're mixing up session id and user id.

Session id looks like... 89a3brajrha983eahcjaz9w3kjsd
User id looks like... 423 as in /Profile/423/

Plus, users cannot change session vars, the stuff in $_SESSION. Only scripts can do that.
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

As mentioned before, session hijacking has nothing to do with the malicious changing of session values, it will only allow the malicious user to assume the identity of the real user.
Post Reply