cleanse data in sessions?

[knobby2k]

Hi guys,

 

quick and simple question, should you cleanse the data that you recover from a session.

 

i.e. i have my username in a session to ensure the user is logged in... so, on my page should i be cleansing the data with the various striptags, stripslashes, htmlspecialchars, etc... OR as long as I check the data matches what i expect to be entered at the time it is input by the user, will that data still be safe when i call the session?

 

I suppose what I am asking is can a malicious user spoof a session, so I call $_SESSION['username'] and it turn out to be $_SESSION['lots of damaging code']

 

Thanks

[voip03]

This article for you.

http://stackoverflow.com/questions/328/php-session-security

http://www.sitepoint.com/notes-on-php-session-security/

[xyph]

You should call htmlspecialchars() on anything you want to echo that you don't expect to contain HTML code, unless you KNOW that variable can't contain malicious data (integers, floats, etc).

 

It's very hard for a user to change session data unless you allow them to.. for example

$_SESSION['someVar'] = $_GET['something'];

 

If you're on a shared host, and the host hasn't locked down the session files, it's possible for another user on the same machine to inject malicious code into a session. This is unavoidable from a programmers perspective, and the only way to protect from this RARE form of attack is to sanitize every session variable before use (htmlspecialchars for display, mysql_real_escape_string() for mysql). This is a little extreme though, as the attack can be hard to pull off.

 

Any time any form of data is supplied by an outside source, you should sanitize it before use.

[knobby2k]

cheers you lot!!