Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.
Php sessions and how they work seem really vague to me. When I read about sessions in the php.net manual it says something about cookies, so I'm suspicious that maybe the $_SESSION variables are stored and controlled by the user. I figure this because my established concept of cookies.
Is this the case; how secure are the sessions?
I appreciate any input on this subject and also maybe a detailed, yet comprehensible, resource for everything about php sessions and/or the basics of how they work.
One of the methods PHP uses to track sessions is to use a cookie. If cookies are not available it still works, PHP also can use a parameter and some other methods to identify the session.
$_SESSION data is as secure as your server & the connection. If the user is connecting over plain text http, then the cookie can be sniffed & a third party can access the $_SESSION data. If the connection is over https, the cookie data is encrypted too (when it's being sent over the wire).
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
SteelSlasher wrote:Not necessarily, sessions can be stored in the RAM of your PC since you can view sessions in Firefox 2
...Not PHP sessions. Maybe browser sessions, but that's something completely different. $_SESSION data is never transmitted to the browser unless explicitely echo'd or stored in $_COOKIE.
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
A short HTTP primer:
All HTTP messages consist of a header and a body. Typical bodies are page content (in server->client messages) and POST data (in client->server messages). Headers have three major roles:
- Tell the other side things about the body (size, encoding)
- Carry info about the TCP connection (you don't need the details here)
- Carry additional data. Cookies and GET data travel here.
Thus, if someone is capable of catching HTTP messages in transit (aka sniffing), he has full access to all $_GET, $_POST and $_COOKIE data.