Jump to content

Faking sessions

Recommended Posts


I wanna know is there a way for user to fake session?

I couldn't find that out...

What I'm asking is - When user logs in my site with his username and password it stores his id in session. And permissions and everything is "going out" of that session variable... That's first thing program checks to see if user is logged in and which one.

For cookies I'm using hash and salt, but I wanna know how to protect sessions as if it's possible to fake it, I need to secure it.

When user is logged, session uid has his user id. If someone could only change that id in session variable he could be an admin...

Share this post

Link to post
Share on other sites

No. Session information is stored on the server. The only thing transferred between the client and server is the sesssion ID.

Share this post

Link to post
Share on other sites

Another thing you could do (OTW here) is create a  random "value" to store in that uid that is NOT a true user id or anything resembling an important value.  Then use that token to do a lookup on a table setup to just store login data and if you find that token value you will have whatever info you need - such as the true user's id.  This way - nobody can alter the session value (good luck with that) to another value that could cause you harm since they are all random and not viewable at all by the hacker.  This is an awful lot of work to do for something that is pretty darn safe as it is, but if you think that your appl/data is THAT super-sensitive, then go for it!

Rather than read the articles that express fear about the safety of Session data, why not find the ones that tell you how sessions really work and how safe they can be?

Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.