$_SESSION security
Moderator: General Moderators
$_SESSION security
i know that sessions are stored in the server and only session ids are stord as cookies but the things ive been reading about how HTTP status can be modified in such bizare ways, i was wondering if whether if i create a variable named $_SESSION['username'] and instantiate it, could this value be changed by an attacker (excluding fixations and hijacking) by possibly the same way as $_GET and $_POST are changed or anything else?
Re: $_SESSION security
You can't actually trust anything that you get from request. There are many ways to upgrade your session security:
http://shiflett.org/articles/the-truth-about-sessions
I mix different techniques and also store more than just session id in $_SESSION. I store an object that holds more informations about the request:
you can also put keys on your links. keys can change in the process.
session_regenerate_id(); is something it is usefull as well
lots of stuff here:
http://phpsec.org/library/
http://shiflett.org/articles/the-truth-about-sessions
I mix different techniques and also store more than just session id in $_SESSION. I store an object that holds more informations about the request:
Code: Select all
class user_request_meta{
private $_session_id;
private $_browser;
private $_ip;
// ...
// I put here unique value from form if post is involved
private $_post_key;
// and methods to handle params
}session_regenerate_id(); is something it is usefull as well
lots of stuff here:
http://phpsec.org/library/
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: $_SESSION security
Usually no, but it is certainly possible. For instance, Session Storage attacks can do it.jazz090 wrote:could this value be changed by an attacker (excluding fixations and hijacking)
Why on earth would you store the session identifier in the session?gregor171 wrote:I also store more than just session id in $_SESSION.
Your approach to serialize an object that holds information and to store it in a session sounds weird.gregor171 wrote:I store an object that holds more informations about the request:
Re: $_SESSION security
Why is the approach weird? Is anything wrong with storing objects in a session?kaisellgren wrote:Your approach to serialize an object that holds information and to store it in a session sounds weird.gregor171 wrote:I store an object that holds more informations about the request:
Re: $_SESSION security
Can't you just place the object in the normal namespace such as $sessioninfo.temidayo wrote:Why is the approach weird? Is anything wrong with storing objects in a session?kaisellgren wrote:Your approach to serialize an object that holds information and to store it in a session sounds weird.gregor171 wrote:I store an object that holds more informations about the request:
There is nothing wrong with that but is just a little awkward.