Jump to content

Question about Sessions

sf_guy

By sf_guy
in PHP Coding Help

 Share

Recommended Posts

sf_guy Member

sf_guy

Posted
Posted

I'm a bit of a PHP newbie and have been playing around with using sessions and general PHP security. I noticed that the sessions are stored in a directory on a user's hard drive.

 

Could a smart user simply copy this information and then, when their session is closed and the info deleted, paste it back to the same subdirectory and regain access to parts of the application without proper authentication?

Link to comment
Share on other sites
Psycho Prolific Member

Psycho

Posted
Posted

I'm a bit of a PHP newbie and have been playing around with using sessions and general PHP security. I noticed that the sessions are stored in a directory on a user's hard drive.

 

Could a smart user simply copy this information and then, when their session is closed and the info deleted, paste it back to the same subdirectory and regain access to parts of the application without proper authentication?

 

Sessions are not stored on a user's PC. The only thing that is stored on the user's machine is a cookie with the session ID. All the session data is stored on the server. The sessions are only valid for a limited time (I think 20 minutes by default). When you close your browser the cookie is deleted. So, the security risk would be someone copying that cookie while you have the browser open and while the session is active. But, I would guess the session ID may also be based on the IP address, so that may not work either.

Link to comment
Share on other sites
davidannis Regular Member

davidannis

Posted
Posted

All the session data is stored on the server

I'm guessing the source of his confusion is that he is developing using WAMP or MAMP and so his machine is both the server and the client.

 

But, I would guess the session ID may also be based on the IP address, so that may not work either.

I don't think that the session_id can be based on the IP because you can not rely on an IP to be static for a browser. May not be an issue in modern times but I certainly remember trying to do sessions based on IP in the good old day and having AOL send every page request for a user from a different IP address. 

 

You could manually store and check User Agent to tighten things a bit, you can also provide a logout fuction to users that destroys the session.

unset($_SESSION);
session_destroy();

should do it.

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.