Is cookie PHPSESSID the only key to for a $_SESSION in PHP?

Question

If it's true,and I know the value of PHPSESSID,can I fake that user?

Answer 1

Kind of. If you know the Session ID you can hijack her session.

You could also transparently pass the Session ID via the URL by enabling --enable-trans-sid in your PHP Ini, which makes accidental session hijacking more common, e.g. when people send links around that contain the SID. So you're better off with Cookies as they are much harder to steal.

However, you can rename PHPSESSID to a different key to make attempts at guessing the key somewhat harder or use custom session handlers that do additional checking on the request, e.g. check the IP or against another cookie.

See

• http://www.php.net/manual/en/book.session.php
• http://www.php.net/manual/en/session.idpassing.php
• http://www.php.net/manual/en/session.security.php
• http://phpsec.org/projects/guide/4.html
• http://shiflett.org/articles/session-hijacking
• http://en.wikipedia.org/wiki/Session_hijacking