Grabbing $_SESSION and $_REQUEST Variables

[blackcell]

How hard is it for someone to grab your scripts $_SESSION and $_REQUEST variables?

I wonder not in the interest of hacking but in the interest of preventative scripting. 

I want to start making my code more secure but I have no idea how to do anything malicious or mischievous with php so I don't know how to protect things.

 

[Daniel0]

What do you mean with grabbing them? The contents of $_SESSION is stored on the server, so anyone having read access to those files can "grab" them. $_REQUEST is just GET, POST and cookie data combined.

[blackcell]

Sorry for the "grab" terminology.

<?php
$StoredGrab = $_SESSION['SOMETHINGTOGRAB'];
?>

 

These files are stored on the server, ok. Does that mean User2 can access the contents of $_SESSION['SOMETHING'] stored by USER99?

so anyone having read access to those files can "grab" them.

Furthermore, can you have a multi-dimensional array when it comes to $_SESSION ?

For example:

$_SESSION['USERKEY']['CAT1']['DATA1']

$_SESSION['USERKEY']['CAT1']['DATA2']

[michaelh613]

I'm just starting to learn these issues too.  But here is a good article that discusses session hijacking

 

http://www.sitepoint.com/article/php-security-blunders.  Scroll down to Session ID Protection

[Daniel0]

Sorry for the "grab" terminology.

<?php
$StoredGrab = $_SESSION['SOMETHINGTOGRAB'];
?>

 

These files are stored on the server, ok. Does that mean User2 can access the contents of $_SESSION['SOMETHING'] stored by USER99?

so anyone having read access to those files can "grab" them.

No, users cannot access anything per se, but if they have a matching session ID then PHP will use the information stored for that user on disk.

 

Furthermore, can you have a multi-dimensional array when it comes to $_SESSION ?

For example:

$_SESSION['USERKEY']['CAT1']['DATA1']

$_SESSION['USERKEY']['CAT1']['DATA2']

Yes. That would be no problem.

[blackcell]

Cool, thank you very much.