Page 1 of 1
$_SESSION security
Posted: Mon Apr 20, 2009 2:40 pm
by jazz090
i know that sessions are stored in the server and only session ids are stord as cookies but the things ive been reading about how HTTP status can be modified in such bizare ways, i was wondering if whether if i create a variable named $_SESSION['username'] and instantiate it, could this value be changed by an attacker (excluding fixations and hijacking) by possibly the same way as $_GET and $_POST are changed or anything else?
Re: $_SESSION security
Posted: Tue Apr 21, 2009 1:32 pm
by gregor171
You can't actually trust anything that you get from request. There are many ways to upgrade your session security:
http://shiflett.org/articles/the-truth-about-sessions
I mix different techniques and also store more than just session id in $_SESSION. I store an object that holds more informations about the request:
Code: Select all
class user_request_meta{
private $_session_id;
private $_browser;
private $_ip;
// ...
// I put here unique value from form if post is involved
private $_post_key;
// and methods to handle params
}
you can also put keys on your links. keys can change in the process.
session_regenerate_id(); is something it is usefull as well
lots of stuff here:
http://phpsec.org/library/
Re: $_SESSION security
Posted: Tue Apr 21, 2009 6:55 pm
by kaisellgren
jazz090 wrote:could this value be changed by an attacker (excluding fixations and hijacking)
Usually no, but it is certainly possible. For instance, Session Storage attacks can do it.
gregor171 wrote:I also store more than just session id in $_SESSION.
Why on earth would you store the session identifier in the session?
gregor171 wrote:I store an object that holds more informations about the request:
Your approach to serialize an object that holds information and to store it in a session sounds weird.
Re: $_SESSION security
Posted: Wed Apr 22, 2009 10:36 am
by temidayo
kaisellgren wrote:
gregor171 wrote:I store an object that holds more informations about the request:
Your approach to serialize an object that holds information and to store it in a session sounds weird.
Why is the approach weird? Is anything wrong with storing objects in a session?
Re: $_SESSION security
Posted: Sun Apr 26, 2009 2:34 am
by coalgames
temidayo wrote:kaisellgren wrote:
gregor171 wrote:I store an object that holds more informations about the request:
Your approach to serialize an object that holds information and to store it in a session sounds weird.
Why is the approach weird? Is anything wrong with storing objects in a session?
Can't you just place the object in the normal namespace such as $sessioninfo.
There is nothing wrong with that but is just a little awkward.