session variable php login realm

views:

answers:

session variable php login realm

I am wondering whether its possible to change/set/delete my session variable AS A USER.

I am re-thinking the way that I do login realm in PHP. The way that I do it now is that I check whether a certain session variable is set or not. However, this would break if someone can just change his/her session variable.

No, you have complete control over the session content.

All the user can do is remove the session cookie, thus dissociating himself from a given session, but he cannot change its contents.

Artefacto 2010-07-28 23:08:08

`All the user can do is remove the session cookie` technically speaking, they could mess around with the session id itself.

George Marian 2010-07-28 23:10:40

@George Which would have exactly the same effect, short of a catastrophe (or if they sniffed a session cookie).

Artefacto 2010-07-28 23:13:31

`or if they sniffed a session cookie` a very important distinction that I feel needs to be made clear. Hence, my comment.

George Marian 2010-07-28 23:19:12

+1 A:

Given that you do not have a method / form (inadvertently or actively) to allow the user to actively change this data, no. They should not be able to change their username etc.

Since session data is stored on the server, yea, they would be hard set to set this themselves. If register_globals is turned on, this might be a possibility, but that would also require other circumstances to be true.

But in the whole, no, a user should not be able to change the session data unless you provide them a means to.

Brad F Jacobs 2010-07-28 23:08:41

+1 for bringing up register_globals.

George Marian 2010-07-28 23:20:00

The register_globals comment doesn't really make sense. By itself, it doesn't put anything in the session, you'd have to have a bug in your application, which you could just as well introduce without `register_globals`.

Artefacto 2010-07-28 23:24:10

Artefacto, "If register_globals is turned on, this might be a possibility, but that would also require other circumstances to be true". Yes register_globals by itself would not cause the possible exploit, but if they do not always define their variables properly or check, this could potentially allow a user to exploit it. That was more or less what I was getting at with the "other circumstances to be true" portion.

Brad F Jacobs 2010-07-28 23:36:18

@Artefacto Couldn't it be clobbered with say something like: `<input name="_SESSION['something']" type="text" value="some value"/>` (I resubmitted this comment and deleted my earlier comment, as I failed at typing Artefacto's name.)

George Marian 2010-07-28 23:51:40

@George I don't really think so, I think it would be the other way around i.e. the superglobal hiding the user submmited variable, but it's been a long time I've dealt with register_globals.

Artefacto 2010-07-29 00:30:29

The user can't act on session variables, except through whatever functionality you expose. The session variables are stored on the server and are not exposed to the user automatically.

The only thing that the user may be able to do is mess with the session id.

George Marian 2010-07-28 23:08:57

ansaurus

tags:

views:

answers:

session variable php login realm

related questions