Jump to content

Recommended Posts

I'm making a text based mmorpg.

 

If I want to save a player's location in a session variable, can the players abuse this?

 

Say I do this when a player logs in:

Where $location is retrieved from a database.

$_SESSION['location'] = $location;

 

From there I'd just use the session variable and when the player changes location write that to the database and change the session variable.

 

 

Now is it possible for a player who knows how these things work to hack the session variables and change them to some other location?

 

And how would I fix this? Just retrieve the location from the database every time or is there some other way to secure this?

Link to comment
https://forums.phpfreaks.com/topic/159249-solved-session-security-question/
Share on other sites

Hello,

 

Session hijacking is a common thing in place. To overcome this, you can regenerate a new session id every time by using session_regenerate_id(). This function will replace the current session id with a new one, and keep the current session information.

 

For your help, I can also provide you the background functionality of session_start(). The events that take place when session_start() is issued in PHP script.

 

1. PHP determines whether session garbage-collection must take place:

a. PHP divides the value of the runtime configuration setting "session.gc_probability" by the value of the runtime configuration setting "session.gc_divisor".  (The default value for session.gc_probability is 1. The default value for session.gc_divisor is 100.)

b. PHP generates a random number.

c. If the random number is smaller than the calculated quotient (i.e. result of session.gc_probability / session.gc_divisor), garbage-collection activates

 

2. If garbage collection is to take place, PHP checks all files in the directory specified by the runtime configuration setting "session.save_path".  It is looking for all files older than the number of seconds in the runtime configuration setting "session.gc_maxlifetime".  All files older than that number of seconds are deleted.

 

3. PHP then checks to see whether a cookie named the same as the runtime configuration setting "session.name" was sent by the browser.

a. If the cookie exists, PHP fetches the value of that cookie.  That value is the current session id.

b. If the cookie does not exist, PHP generates a session id and sets a cookie named as specified in "session.name".  The value of that cookie is the generated session id.

 

4. If a session cookie with a session id was sent by the user's browser, PHP will look in the directory specified by "session.save_path".  It is looking for a file named "sess_" plus the session id.

a. If that file is found, PHP reads the session data stored there and populates $_SESSION.

b. If the file is not found, PHP initializes $_SESSION as empty

 

Hope this information will help you.

 

Cheers!

 

I'm making a text based mmorpg.

 

If I want to save a player's location in a session variable, can the players abuse this?

 

Say I do this when a player logs in:

Where $location is retrieved from a database.

$_SESSION['location'] = $location;

 

From there I'd just use the session variable and when the player changes location write that to the database and change the session variable.

 

 

Now is it possible for a player who knows how these things work to hack the session variables and change them to some other location?

 

And how would I fix this? Just retrieve the location from the database every time or is there some other way to secure this?

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.