IN PHP: Is there a way for the user to fake a session variable?
Is it secure to trust in the value of a session variable for a login system?
+7
A:
The session data is stored on the server. Only the session id is transferred forth and back between the client and the server. Unless a server-side script messes up (or there is a bug) the client cannot change the session data directly. But you have to ensure that only the "correct" client knows the session id, as it ties this particular client to a particular session. E.g. (since you mentioned a login) use session_regenerate_id() whenever a login (attempt) is performed to prevent session fixation
VolkerK
2010-03-15 07:41:50
+3
A:
Yes.. It's called session forge/hijack.
You change the value of the session cookie until you get another user session.
TiuTalk
2010-03-15 07:42:39
+1 for pointing out session hijacking, but I must add that it doesn't change the variable on the server. It may just allow one user to pose for another. The security/likelihood of this depends on the complexity of your session IDs and how long they're valid for.
deceze
2010-03-15 07:46:18
Because of the second part of the OP's question, I think this response best answers the overall question's intent.
overslacked
2010-03-15 08:06:01
for the sake of simplicity. let's say I have if($_SESSION['userName']=="admin) { //things for admin } else { //thing for the rest }IT is a way to forge/hijack the userName session variable?Why nobody talks about this???
The Disintegrator
2010-03-15 08:17:09
Wow, a google search for "session forge/hijack" return this page as first result. 33 minutes after I wrote the question!!!
The Disintegrator
2010-03-15 08:20:43
@The Disintegrator: We have all talked about it, we're trying to explain to you that userName as a variable is stored on the server referenced by some hash, say 'mmr3oe8e98y4tuhgdoghd89g' (I just hit random keys). Now, the actual client has a single cookie, usually called PHPSESSID, which contains that string so that the server can use it to find the data. So if someone were randomly typing strings, they could theoretically retrieve another user's session and use their userName.
animuson
2010-03-15 08:26:43
@animuson for nobody I was talking about OUTSIDE this. Whenever I see any article talking about sessions, there is no reference to session hijaking.It's bad to try to do a fact check before trusting the security of a system?
The Disintegrator
2010-03-15 08:39:21
-1 this is not a real attack. Normal session id's are very large and would take trillions of requests to obtain another valid session.
Rook
2010-03-17 23:43:33
-1, because this answer doesn't answer the question.
Kai Sellgren
2010-04-17 15:38:45
+4
A:
Sessions are stored on your server, either in a file or in memory. The user only holds a cookie that defines the path (usually a hash of some form) to the session data on your server. Theoretically you could change the cookie to someone else's hash, but that is very, very improbable, unless you store them as files and don't delete them after they expire, in which case the probability of someone exploiting an old session would increase.
animuson
2010-03-15 07:42:52
Very, very improbable, when applied over billions of transactions, can very easily become something worth worrying quite a lot about. Of course, I have no idea as to the scale of the OP's project, but it's something to consider.
overslacked
2010-03-15 08:07:26