Jump to content

can sessions be edited?

EchoFool

By EchoFool
in PHP Coding Help

 Share

Recommended Posts

EchoFool Advanced Member

EchoFool

Posted
  • Author
Posted

no im just checking such a problem could not happen for example....

 

when a user registers or logs in $_SESSION['Current_User'] = 4;  lets say ID 4.

 

Then i use that ID for everything. But if some one can edit their SESSION via their browser with a cookie editor, then they could set their ID as one of the Admins and thus have staff permissions and appear to be logged in as one of the staff members.

 

So wanted to make sure that could not happen. And if it could how is it preventable.

Link to comment
Share on other sites
ChemicalBliss Newbie

ChemicalBliss

Posted
Posted

Sessions have uniquely generated Keys, only this key is passed to the user via either the URL, or a COOKIE.

 

These keys, depending on the amount of Users visiting your page is extremely difficult to guess.

 

Some light reading:

http://phpsec.org/projects/guide/4.html

http://www.sitepoint.com/blogs/2004/03/03/notes-on-php-session-security/

 

The answers on this page can give some good information if your really interested:

http://stackoverflow.com/questions/138670/how-unique-is-the-php-session-id

 

-cb-

Link to comment
Share on other sites
.josh Advanced Member

.josh

Posted
Posted

yes it is possible. It is called session hijacking.

 

Session variable names and their values are stored on the server in a temporary file. When you start a session, a unique key - an id - is created (by default it is randomly generated, though you can specify what the id is if you want to).  This key (id) is stored in a cookie on the user's computer.  If cookies are disabled, it is possible to pass the session key (id) as a url parameter instead.

 

It is not possible to directly access a session variable or its value, because it is stored on the server.  What happens with session hijacking is someone changes the session key (id) cookie value to another value that matches someone else's session key (id).  Virtually every browser out there makes it super easy to alter cookie values via built-in developer tools or addons.  Also it's really not that hard to just edit the cookie file directly.  Or specifies it in the url when making a request to the server, which is as easy as just entering in the appended url into your browser url box and pressing the go button.  This is why when you are on a public or shared computer, it is a good idea to clear your cookies, history etc.. before leaving.

 

Yes, if someone guesses another user's session key (id) they can send that key in their next request and be logged in as that user.  This is why most sites do not show particularly sensitive account information, even within account settings (like credit card numbers, ss numbers, passwords, etc...), and also prompt for info before changing key information (like prompting for old pw to change your pw, etc...).

 

 

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.