tags:

views:

44

answers:

3
+4  Q: 

Are sessions modifiable by the client/user?

In my PHP Web-App I use sessions to store the user's data. For exmaple, if a user logs in, then an instance of the User class is generated and stored in a Session.

I have access levels associated with each user to determine their privileges.

Store the user in a session by: 

$_SESSION['currentUser'] = new User($_POST['username']);

For example:

if($_SESSION['currentUser'] -> getAccessLevel() == 1)
{
  //allow administration functions
}

where getAccessLevel() is simply a get method in the User class that returns the _accesslevel member variable.

Is this secure? Or can the client somehow modify their access level through session manipulation of some sort?

+1  A: 

No, the client cannot modify their access level. The only thing stored on the client is the session key which is either propagated via cookie or GET parameter. The session key ties to a corresponding session record which is a file stored on the server side (usually in a temp directory) which contains the 'punch'. What you don't want, is for a session key to get leaked to a third party:

A leaked session id enables the third party to access all resources which are associated with a specific id.

Take a look at this: http://www.php.net/manual/en/session.security.php

karim79  2010-05-27 23:42:41
how would it leak, assuming i don't pass the session_id in the query string nor through post (unless it happens automatically tho i'm not aware of such a thing), and assuming they don't have access to the server?
Sev  2010-05-28 00:03:32
@Sev - Your network traffic can be sniffed. Cookies/Get Parameters/Whatever are all plain-text and easily extractable unless you use SSL.
karim79  2010-05-28 00:07:14
you're right, thank you.
Sev  2010-05-28 00:09:06
+1  A: 

The session information is stored on the server and the user only has access to a key. In practice I have used something of this sort, with extra steps. After validating the user details and storing the User object, I would have a query that is run when viewing any of your protected pages to validate what is in the session is okay with what they're trying to view. In the top of your page.php

if(!validUser($user)){ 
   // Relocate the user
}

where

validUser(User $user)
{
   // Some query to verify the information in the session
   // Return the results of verification
}
manyxcxi  2010-05-27 23:44:59
essentially what you're saying is query the database and make sure the data matches with the session data? well, to do this, i would need to query the db with the username stored in a session through $_POST, and if they have already modified their session, they can presumably have modified their username as well.
Sev  2010-05-28 00:00:18
You can protect against this by storing a one time salt or the session id in the User object when they log in. A column in the user or logged_in_user table could store it. That way when User->name and User->salt don't match what's in the database, they're invalidated.
manyxcxi  2010-05-28 00:05:15
excellent. thanks.
Sev  2010-05-28 00:09:35
A: 

I thought the only way for the user to manipulate something like that was if it was stored in a cookie on the users computer.

Is the getaccesslevel stored to a cookie or is it called from the server only after checking the login cookie and not stored on the users computer?

I would assume that if it is called on the server only after the user is logged in then they would not be able to easily manipulate that other than through other means of security holes.

Just my guess tho, im not that great with security myself yet. I will keep an eye on this to see what others have to say and maybe I can learn something.

TankDriver  2010-05-27 23:45:58

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases