Jump to content

Question about Sessions


sf_guy

Recommended Posts

I'm a bit of a PHP newbie and have been playing around with using sessions and general PHP security. I noticed that the sessions are stored in a directory on a user's hard drive.

 

Could a smart user simply copy this information and then, when their session is closed and the info deleted, paste it back to the same subdirectory and regain access to parts of the application without proper authentication?

Link to comment
Share on other sites

I'm a bit of a PHP newbie and have been playing around with using sessions and general PHP security. I noticed that the sessions are stored in a directory on a user's hard drive.

 

Could a smart user simply copy this information and then, when their session is closed and the info deleted, paste it back to the same subdirectory and regain access to parts of the application without proper authentication?

 

Sessions are not stored on a user's PC. The only thing that is stored on the user's machine is a cookie with the session ID. All the session data is stored on the server. The sessions are only valid for a limited time (I think 20 minutes by default). When you close your browser the cookie is deleted. So, the security risk would be someone copying that cookie while you have the browser open and while the session is active. But, I would guess the session ID may also be based on the IP address, so that may not work either.

Link to comment
Share on other sites

All the session data is stored on the server

I'm guessing the source of his confusion is that he is developing using WAMP or MAMP and so his machine is both the server and the client.

 

But, I would guess the session ID may also be based on the IP address, so that may not work either.

I don't think that the session_id can be based on the IP because you can not rely on an IP to be static for a browser. May not be an issue in modern times but I certainly remember trying to do sessions based on IP in the good old day and having AOL send every page request for a user from a different IP address. 

 

You could manually store and check User Agent to tighten things a bit, you can also provide a logout fuction to users that destroys the session.

unset($_SESSION);
session_destroy();

should do it.

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.