Can I trust $_SESSION ?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Can I trust $_SESSION ?

Post by kaisellgren »

Hi,

Can I trust $_SESSION globalvariable?

I have a script that only checks if it has $_SESSION["userid"], if it does have then it continues without password checking. Can anyone fake $_SESSION ?
User avatar
Kieran Huggins
DevNet Master
Posts: 3635
Joined: Wed Dec 06, 2006 4:14 pm
Location: Toronto, Canada
Contact:

Post by Kieran Huggins »

You should use a PCRE to validate the session global. We'll could all pitch in and write one for you if you want...... oh wait, never mind. :rofl:

search results
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Post by Mordred »

There are also possible issues with file-based sessions on shared hostings, where one site could potentially access the session files of another. This depends on the hosting configuration of course, but the general feelings towards this problem seem to be that one should implement database-based sessions.
User avatar
Zyxist
Forum Contributor
Posts: 104
Joined: Sun Jan 14, 2007 10:44 am
Location: Cracow, Poland

Post by Zyxist »

Here you can find, how to fight against various attacks on PHP sessions. The article should be very useful for you:

http://phpsec.org/projects/guide/4.html
Post Reply