blackcell Posted April 2, 2008 Share Posted April 2, 2008 How hard is it for someone to grab your scripts $_SESSION and $_REQUEST variables? I wonder not in the interest of hacking but in the interest of preventative scripting. I want to start making my code more secure but I have no idea how to do anything malicious or mischievous with php so I don't know how to protect things. Quote Link to comment https://forums.phpfreaks.com/topic/99225-grabbing-_session-and-_request-variables/ Share on other sites More sharing options...
Daniel0 Posted April 2, 2008 Share Posted April 2, 2008 What do you mean with grabbing them? The contents of $_SESSION is stored on the server, so anyone having read access to those files can "grab" them. $_REQUEST is just GET, POST and cookie data combined. Quote Link to comment https://forums.phpfreaks.com/topic/99225-grabbing-_session-and-_request-variables/#findComment-507695 Share on other sites More sharing options...
blackcell Posted April 3, 2008 Author Share Posted April 3, 2008 Sorry for the "grab" terminology. <?php $StoredGrab = $_SESSION['SOMETHINGTOGRAB']; ?> These files are stored on the server, ok. Does that mean User2 can access the contents of $_SESSION['SOMETHING'] stored by USER99? so anyone having read access to those files can "grab" them. Furthermore, can you have a multi-dimensional array when it comes to $_SESSION ? For example: $_SESSION['USERKEY']['CAT1']['DATA1'] $_SESSION['USERKEY']['CAT1']['DATA2'] Quote Link to comment https://forums.phpfreaks.com/topic/99225-grabbing-_session-and-_request-variables/#findComment-508064 Share on other sites More sharing options...
michaelh613 Posted April 3, 2008 Share Posted April 3, 2008 I'm just starting to learn these issues too. But here is a good article that discusses session hijacking http://www.sitepoint.com/article/php-security-blunders. Scroll down to Session ID Protection Quote Link to comment https://forums.phpfreaks.com/topic/99225-grabbing-_session-and-_request-variables/#findComment-508073 Share on other sites More sharing options...
Daniel0 Posted April 3, 2008 Share Posted April 3, 2008 Sorry for the "grab" terminology. <?php $StoredGrab = $_SESSION['SOMETHINGTOGRAB']; ?> These files are stored on the server, ok. Does that mean User2 can access the contents of $_SESSION['SOMETHING'] stored by USER99? so anyone having read access to those files can "grab" them. No, users cannot access anything per se, but if they have a matching session ID then PHP will use the information stored for that user on disk. Furthermore, can you have a multi-dimensional array when it comes to $_SESSION ? For example: $_SESSION['USERKEY']['CAT1']['DATA1'] $_SESSION['USERKEY']['CAT1']['DATA2'] Yes. That would be no problem. Quote Link to comment https://forums.phpfreaks.com/topic/99225-grabbing-_session-and-_request-variables/#findComment-508201 Share on other sites More sharing options...
blackcell Posted April 3, 2008 Author Share Posted April 3, 2008 Cool, thank you very much. Quote Link to comment https://forums.phpfreaks.com/topic/99225-grabbing-_session-and-_request-variables/#findComment-508382 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.