[SOLVED] session security question

[Yeodan]

I'm making a text based mmorpg.

 

If I want to save a player's location in a session variable, can the players abuse this?

 

Say I do this when a player logs in:

Where $location is retrieved from a database.

$_SESSION['location'] = $location;

 

From there I'd just use the session variable and when the player changes location write that to the database and change the session variable.

 

 

Now is it possible for a player who knows how these things work to hack the session variables and change them to some other location?

 

And how would I fix this? Just retrieve the location from the database every time or is there some other way to secure this?

[MadTechie]

No, well it depends on everything else (your user input filtering), session hijacking could be a problem (see session_regenerate_id()) if your on a shared host they maybe able to access the session files, but on a whole their secure

[anupamsaha]

Hello,

 

Session hijacking is a common thing in place. To overcome this, you can regenerate a new session id every time by using session_regenerate_id(). This function will replace the current session id with a new one, and keep the current session information.

 

For your help, I can also provide you the background functionality of session_start(). The events that take place when session_start() is issued in PHP script.

 

1. PHP determines whether session garbage-collection must take place:

a. PHP divides the value of the runtime configuration setting "session.gc_probability" by the value of the runtime configuration setting "session.gc_divisor".  (The default value for session.gc_probability is 1. The default value for session.gc_divisor is 100.)

b. PHP generates a random number.

c. If the random number is smaller than the calculated quotient (i.e. result of session.gc_probability / session.gc_divisor), garbage-collection activates

 

2. If garbage collection is to take place, PHP checks all files in the directory specified by the runtime configuration setting "session.save_path".  It is looking for all files older than the number of seconds in the runtime configuration setting "session.gc_maxlifetime".  All files older than that number of seconds are deleted.

 

3. PHP then checks to see whether a cookie named the same as the runtime configuration setting "session.name" was sent by the browser.

a. If the cookie exists, PHP fetches the value of that cookie.  That value is the current session id.

b. If the cookie does not exist, PHP generates a session id and sets a cookie named as specified in "session.name".  The value of that cookie is the generated session id.

 

4. If a session cookie with a session id was sent by the user's browser, PHP will look in the directory specified by "session.save_path".  It is looking for a file named "sess_" plus the session id.

a. If that file is found, PHP reads the session data stored there and populates $_SESSION.

b. If the file is not found, PHP initializes $_SESSION as empty

 

Hope this information will help you.

 

Cheers!

 

I'm making a text based mmorpg.

 

If I want to save a player's location in a session variable, can the players abuse this?

 

Say I do this when a player logs in:

Where $location is retrieved from a database.

$_SESSION['location'] = $location;

 

From there I'd just use the session variable and when the player changes location write that to the database and change the session variable.

 

 

Now is it possible for a player who knows how these things work to hack the session variables and change them to some other location?

 

And how would I fix this? Just retrieve the location from the database every time or is there some other way to secure this?