Jump to content
Ikerepc

Faking sessions

Recommended Posts

Hi...

I wanna know is there a way for user to fake session?

I couldn't find that out...

What I'm asking is - When user logs in my site with his username and password it stores his id in session. And permissions and everything is "going out" of that session variable... That's first thing program checks to see if user is logged in and which one.

For cookies I'm using hash and salt, but I wanna know how to protect sessions as if it's possible to fake it, I need to secure it.

When user is logged, session uid has his user id. If someone could only change that id in session variable he could be an admin...

Share this post


Link to post
Share on other sites

No. Session information is stored on the server. The only thing transferred between the client and server is the sesssion ID.

Share this post


Link to post
Share on other sites

Another thing you could do (OTW here) is create a  random "value" to store in that uid that is NOT a true user id or anything resembling an important value.  Then use that token to do a lookup on a table setup to just store login data and if you find that token value you will have whatever info you need - such as the true user's id.  This way - nobody can alter the session value (good luck with that) to another value that could cause you harm since they are all random and not viewable at all by the hacker.  This is an awful lot of work to do for something that is pretty darn safe as it is, but if you think that your appl/data is THAT super-sensitive, then go for it!

Rather than read the articles that express fear about the safety of Session data, why not find the ones that tell you how sessions really work and how safe they can be?

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.