Page 1 of 1
Fake sessions?
Posted: Sat Aug 23, 2008 9:41 am
by Chalks
I've been using sessions for awhile mainly to pass error codes back and forth between pages. Now I'm actually using it to determine whether a user can access their personal information. I'm wondering if users could create fake session data. Is that possible? If so, how can I prevent it... any tutorials?
In particular, I have one page that loads based on whether the $_SESSION['logged'] value is true, and the content is based on $_SESSION['name'].
Thanks.
Re: Fake sessions?
Posted: Sat Aug 23, 2008 3:13 pm
by jaoudestudios
Yes sessions can be faked. If you google it there are loads of results. Php does have a response which is to generate a new session_id everytime a page is loaded.
Sessions are useful for the situation you are in, I can not see another way.
You could encode the session data! But thats another story.
Instead of sending TRUE, send the user_id, then when they come to a secure page check that id in the database to double check that the user exists if it does display the page, otherwise destroy the session and redirect them to the log in page.
Re: Fake sessions?
Posted: Mon Aug 25, 2008 5:09 am
by Mordred
jaoudestudios wrote:Yes sessions can be faked. If you google it there are loads of results. Php does have a response which is to generate a new session_id everytime a page is loaded.
You seem to be mixing session_id theft with session data, and from then on what you say is nonsense. Do learn your terminology please.
@
Chalks:
Session data is just a handy way to keep data on the server, and to "hide" the actual means of storage behind the interface of $_SESSION. Session storage can be implemented over the file system (the default implementation), over database, shared memory, pidgeons

, you name it.
Thus, there are two points of attack:
- Attack the underlying session storage (for example if you store sessions in a database, and you have a SQL injection hole that allows db modification, you can also modify session data)
- Attack the code that legitimately writes to the session data
Code: Select all
if (buggy_check()) $_SESSION['logged']=1; //subvert buggy_check() and you're in
A real-life example of the second can be seen in an adjacent topic:
viewtopic.php?f=34&t=87141&p=480931#p480931
Re: Fake sessions?
Posted: Tue Aug 26, 2008 12:06 am
by Chalks
Ah, thanks, that makes sense.
Mordred wrote:- Attack the underlying session storage (for example if you store sessions in a database, and you have a SQL injection hole that allows db modification, you can also modify session data)
Is there a way to find out how my sessions are being stored? I have no idea if it's going into a cookie, or is stored in a database, or simply exists in the 4th dimension. If stored in a cookie, could someone conceivably create a cookie that looks real to the server, but isn't?
Re: Fake sessions?
Posted: Tue Aug 26, 2008 2:55 am
by Mordred
Most probably the default, i.e. in files in the session.savepath (variable in php.ini) directory.
http://bg.php.net/manual/en/function.se ... andler.php is the way to change the storage mechanism.
Sessions in cookies is a bit tricky, so don't try it at home

Databases and files are the two most common scenarios, you shouldn't worry about others until you start developing huge applications with millions of users.