Some questions about Sessions / Cookies

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
brownca
Forum Newbie
Posts: 4
Joined: Wed Feb 02, 2011 11:11 am

Some questions about Sessions / Cookies

Post by brownca »

Hi, I'm still a beginner with PHP but just have a few questions on sessions and cookies which I hope someone can help out with.

As I understand it, a random session id is stored locally as a cookie (PHPSESSID), which links up to the user's session data stored on the server.

I am designing a website which currently stores a user's unique ID in a session variable. Other user data is generated on each page from this user ID. Am I right in thinking that this is secure, since the sensitive data (the user ID) is being stored on the server, and the ony way someone else could access it is by cloning the PHPSESSID cookie?

Is it likely/possible that two identical PHP session IDs could be created, and if so is it possible to manually set the session ID (so that I can ensure its uniqueness)?

I wish to implement a 'Remember Me' feature. I know I need to set a cookie, but what should it contain? If it contained the username, that would surely be insecure since someone could just create a cookie with a known username to log in as that person. Should I be setting the PHP session ID cookie to expire in a year instead?

Thanks in advance.
User avatar
social_experiment
DevNet Master
Posts: 2793
Joined: Sun Feb 15, 2009 11:08 am
Location: .za

Re: Some questions about Sessions / Cookies

Post by social_experiment »

brownca wrote:Am I right in thinking that this is secure, since the sensitive data (the user ID) is being stored on the server, and the ony way someone else could access it is by cloning the PHPSESSID cookie?
If you are using shared hosting your sessions could be accessed by other users.
The Manual wrote:The session module cannot guarantee that the information you store in a session is only viewed by the user who created the session. You need to take additional measures to actively protect the integrity of the session, depending on the value associated with it.
brownca wrote:Is it likely/possible that two identical PHP session IDs could be created, and if so is it possible to manually set the session ID (so that I can ensure its uniqueness)?
Its possible but you shouldn't really on this value only for 'uniqueness'.

f=34&t=130286
Read this topic for more information on sessions
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
Post Reply