Is it possible to "pirate" a session variable (I do not want to know how)

views:

163

answers:

+7 Q:

Is it possible to "pirate" a session variable (I do not want to know how)

I am currently doing a website in php, we are using a Session variable to store the permission level of each user.

For example, if any one of you would go on the website, you would automatically get a session variable with a value of "member".

What I am asking is: Is it possible for an attacker to go on the website and modify the value of the session variable for "admin" instead of "member"

I am not asking how, just if it is possible, and if so what kind of special access would the attacker would need (ex: access to the code, ....)

I have an alternative solution, which would be to replace the permission value with a token that would expire over time.

The second solution is way longer to implement.

Thanks for your help!

+2 A:

From what you've described I assume you aren't storing the permission in a cookie. Therefore, the only way they could get access would be to guess/brute force an administrators session id or use some cross-site scripting attack. If your session id's are sufficiently long the first method would be very hard to accomplish.

GWW 2010-08-09 19:59:34

I am not using cookie what so ever. Thanks for the quick answer!

Lobsterm 2010-08-09 20:00:56

@Lobsterm Are you explicitly passing the session ID around in the query string? Otherwise you are using cookies whether you realize it or not.

meagar 2010-08-09 20:03:42

+1 A:

Your session variables should be safe because the session is stored on the server. However, in order to relate a specific client with a specific session, a cookie is usually set that contains a session ID, and an attacker could try to access a different user's session by munging their session ID cookie (either by brute force or by somehow capturing someone else's cookie).

Daniel Vandersluis 2010-08-09 20:00:15

+8 A:

No, unless:

The attacker had access to the storage of the session variables (usually the filesystem of the server, but could also be e.g. a database)
The attacker intercepted a session cookie of a more privileged user.
The attacker successful fixated the session of a more privileged user (see session fixation attacks).

Artefacto 2010-08-09 20:00:22

+1 A:

It depends on how you are storing the session. If it is in the URL, then yes. If it is in a cookie, then maybe.

icco 2010-08-09 20:01:42

+1 A:

Unless there's a security flaw in your app, someone can't just up and change session variables -- those are stored on the server, and the client never has direct access to them.

What they can do, however, is change their session ID by going to a URL like http://your.site.com/?PHPSESSID=2342f24502ade525 . The potential for abuse there is twofold: (1) if they happened to know a logged-in user's session ID somehow, the session ID would let them impersonate that user, giving them all the access that user has; and (2) If they can trick someone into going to a URL that has a session ID attached, and that person logs in, they now know that user's session ID (because they provided it!), and we're back to (1).

cHao 2010-08-09 20:04:15

+2 A:

The higher risk comes from an attacker stealing an active session, you can find about it here:

Ast Derek 2010-08-09 20:06:11

ansaurus

tags:

views:

answers:

Is it possible to "pirate" a session variable (I do not want to know how)

related questions