fake a $_SESSION?

[freelance84]

Good evening all,

 

I'm just going through my site checking for any security issues I may have missed...

 

Is it possible for someone to "fake" a $_SESSION variable?

There are several MySQL queries which are using the $_SESSION variables as part of the query... Therefore, if someone managed to "fake" a $_SESSION they could make some of the queries unsafe as I haven't run any of the $_SESSION variables through the mysql_real_escape_string.

 

I know the mysql_real_escape_string is designed to make safe any user input into MySQL, so this may apply if they "fake" the $_SESSION?

[wildteen88]

$_SESSION variables will not be accessible from the browser so no you won't be able to alter the session values as they are stored on the server.  However If you're assigning user input to any session variables it is important you  sanitize this input so that is safe to use within your SQL queries.

[PFMaBiSmAd]

You cannot fake a session variable, but if register_globals are on, anyone can set one of your session variables to any value they want by simply supplying a same name cookie, post, or get variable when they request your page.

 

If the value you put into a session variable originally came from the visitor, such as their username from a form, as long as you escaped it when it was originally received, it would be safe to put the session variable directly into a query.

[freelance84]

Scenario:

A registered user logs in. Their username and userID are stored for the session as $_SESSION's.

These $_SESSION's are then used to determine what to delete and what to change in the SQL commands.

 

My concern was that a clever user would be able change the session variable some how after logging in, therefore making the mysql command unsafe.