can sessions be edited?

[EchoFool]

Can users edit their cookie/session and thus change who they are logged in as on a website?

 

If they changed the data from say user 1 to user 2 would it work if so how is it done? And how is it prevent on the server side ?

 

thanks

[xcasio]

They can't change session data, but they can easily spoof cookie data.

[EchoFool]

explain spoof?

[PFMaBiSmAd]

The only ways that someone could set a session variable to a specific value is if your code allows it or register_globals are on.

 

Do you have a specific problem you are trying to solve?

[EchoFool]

no im just checking such a problem could not happen for example....

 

when a user registers or logs in $_SESSION['Current_User'] = 4;  lets say ID 4.

 

Then i use that ID for everything. But if some one can edit their SESSION via their browser with a cookie editor, then they could set their ID as one of the Admins and thus have staff permissions and appear to be logged in as one of the staff members.

 

So wanted to make sure that could not happen. And if it could how is it preventable.

[ChemicalBliss]

Sessions have uniquely generated Keys, only this key is passed to the user via either the URL, or a COOKIE.

 

These keys, depending on the amount of Users visiting your page is extremely difficult to guess.

 

Some light reading:

http://phpsec.org/projects/guide/4.html

http://www.sitepoint.com/blogs/2004/03/03/notes-on-php-session-security/

 

The answers on this page can give some good information if your really interested:

http://stackoverflow.com/questions/138670/how-unique-is-the-php-session-id

 

-cb-

[EchoFool]

By saying : extremely difficult 

 

Means the possibility can occur?

[ChemicalBliss]

Of course, read those articles i posted it will tell you everything you need to know.

 

-cb-

[.josh]

yes it is possible. It is called session hijacking.

 

Session variable names and their values are stored on the server in a temporary file. When you start a session, a unique key - an id - is created (by default it is randomly generated, though you can specify what the id is if you want to).  This key (id) is stored in a cookie on the user's computer.  If cookies are disabled, it is possible to pass the session key (id) as a url parameter instead.

 

It is not possible to directly access a session variable or its value, because it is stored on the server.  What happens with session hijacking is someone changes the session key (id) cookie value to another value that matches someone else's session key (id).  Virtually every browser out there makes it super easy to alter cookie values via built-in developer tools or addons.  Also it's really not that hard to just edit the cookie file directly.  Or specifies it in the url when making a request to the server, which is as easy as just entering in the appended url into your browser url box and pressing the go button.  This is why when you are on a public or shared computer, it is a good idea to clear your cookies, history etc.. before leaving.

 

Yes, if someone guesses another user's session key (id) they can send that key in their next request and be logged in as that user.  This is why most sites do not show particularly sensitive account information, even within account settings (like credit card numbers, ss numbers, passwords, etc...), and also prompt for info before changing key information (like prompting for old pw to change your pw, etc...).