blackcell Posted April 2, 2008 Share Posted April 2, 2008 How hard is it for someone to grab your scripts $_SESSION and $_REQUEST variables? I wonder not in the interest of hacking but in the interest of preventative scripting. I want to start making my code more secure but I have no idea how to do anything malicious or mischievous with php so I don't know how to protect things. Link to comment https://forums.phpfreaks.com/topic/99225-grabbing-_session-and-_request-variables/ Share on other sites More sharing options...
Daniel0 Posted April 2, 2008 Share Posted April 2, 2008 What do you mean with grabbing them? The contents of $_SESSION is stored on the server, so anyone having read access to those files can "grab" them. $_REQUEST is just GET, POST and cookie data combined. Link to comment https://forums.phpfreaks.com/topic/99225-grabbing-_session-and-_request-variables/#findComment-507695 Share on other sites More sharing options...
blackcell Posted April 3, 2008 Author Share Posted April 3, 2008 Sorry for the "grab" terminology. <?php $StoredGrab = $_SESSION['SOMETHINGTOGRAB']; ?> These files are stored on the server, ok. Does that mean User2 can access the contents of $_SESSION['SOMETHING'] stored by USER99? so anyone having read access to those files can "grab" them. Furthermore, can you have a multi-dimensional array when it comes to $_SESSION ? For example: $_SESSION['USERKEY']['CAT1']['DATA1'] $_SESSION['USERKEY']['CAT1']['DATA2'] Link to comment https://forums.phpfreaks.com/topic/99225-grabbing-_session-and-_request-variables/#findComment-508064 Share on other sites More sharing options...
michaelh613 Posted April 3, 2008 Share Posted April 3, 2008 I'm just starting to learn these issues too. But here is a good article that discusses session hijacking http://www.sitepoint.com/article/php-security-blunders. Scroll down to Session ID Protection Link to comment https://forums.phpfreaks.com/topic/99225-grabbing-_session-and-_request-variables/#findComment-508073 Share on other sites More sharing options...
Daniel0 Posted April 3, 2008 Share Posted April 3, 2008 Sorry for the "grab" terminology. <?php $StoredGrab = $_SESSION['SOMETHINGTOGRAB']; ?> These files are stored on the server, ok. Does that mean User2 can access the contents of $_SESSION['SOMETHING'] stored by USER99? so anyone having read access to those files can "grab" them. No, users cannot access anything per se, but if they have a matching session ID then PHP will use the information stored for that user on disk. Furthermore, can you have a multi-dimensional array when it comes to $_SESSION ? For example: $_SESSION['USERKEY']['CAT1']['DATA1'] $_SESSION['USERKEY']['CAT1']['DATA2'] Yes. That would be no problem. Link to comment https://forums.phpfreaks.com/topic/99225-grabbing-_session-and-_request-variables/#findComment-508201 Share on other sites More sharing options...
blackcell Posted April 3, 2008 Author Share Posted April 3, 2008 Cool, thank you very much. Link to comment https://forums.phpfreaks.com/topic/99225-grabbing-_session-and-_request-variables/#findComment-508382 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.