Page 1 of 1

Encrypt Session Vars?

Posted: Sun Nov 06, 2005 3:41 pm
by Todd_Z
How important is it to encrypt the session variables? I just have one: and it stores the user id number, so theoretically if someone altered this value, there would be zero security... What should i do about that?

Posted: Sun Nov 06, 2005 5:15 pm
by Ambush Commander
Encryption doesn't protect variables from tampering: signing does that.

I don't think that this should be too big a problem. You should store more information such as when the last access was, etc, but in order to tamper with the session variable, they'd have to have physical access (and if they have physical access, you have much bigger problems). It's simply not worth the hassle.

However, making sure sessions don't fall into the wrong hands is a different problem altogether...

Posted: Sun Nov 06, 2005 5:18 pm
by Todd_Z
Well its VERY easy to figure out which session id is assigned to which user - for example, to see a user's profile, you go to /Profile/XXXX/ - so theres no security. So basically, if someone wants to be granted access to all of the functions and abilities of a user, they could theoretically change the session var to the id, and security goes flying out the window.

Posted: Sun Nov 06, 2005 5:22 pm
by Ambush Commander
I think you're mixing up session id and user id.

Session id looks like... 89a3brajrha983eahcjaz9w3kjsd
User id looks like... 423 as in /Profile/423/

Plus, users cannot change session vars, the stuff in $_SESSION. Only scripts can do that.

Posted: Sun Nov 06, 2005 5:54 pm
by John Cartwright
As mentioned before, session hijacking has nothing to do with the malicious changing of session values, it will only allow the malicious user to assume the identity of the real user.