Session security
If I wanted to store all my user info in a session rather than fetching it through MySQL on every page load, is it still safe?
I have this in htaccess:
php_value session.cookie_domain .MYDOMAIN.COM
Soo... is it stored in a session on the server or a cookie?
Basically, if I were to say $_SESSION['access_level'] = 5, is there some way they could manipulate the value and give themselves a higher access level?
SonicMailer Pro - Professional mailing list manager & award-winning email marketing software
Download a FREE 30-day trial today!
Use coupon savemoreon4 and save 10%!
FrankR posted this at 02:48 — 12th January 2007.
He has: 45 posts
Joined: Oct 2006
It's a safe as the PHP configuration on the server. The session ID is stored in the cookie. The session data is stored on the server. Session data is stored by default in the /tmp directory on a typical Linux or BSD host.
You need to be aware of cross-site scripting attacks and their use to commit session hijacking. An attack can be carried out against web sites that allow unfiltered HTML to be posted. The attacker places some JavaScript on the page that captures the session cookie from the user’s browser and fetches a 1 pixel image from a remote server. The script appends the cookie content (containing the session key) to the image URL. The attacker then retrieves the session ID from his logs and uses it to access your web site under the credentials of the hijacked session.
Note that the attack I just described is not specific to PHP sessions!
Frank
Author of SQL Converter for Excel, which is an Excel add-in for converting data to MySQL.
Triexa.com posted this at 04:05 — 12th January 2007.
They have: 173 posts
Joined: Feb 2005
I do a lot of work on some pages with javascript as well.
1) Can it access the same session information or is it simply not possible?
2) Say I were to put "accountLevel = 5;" inside a <script> in my header file. This is EASILY changed through "javascript:accountLevel = 10" in the address bar. What can I do to combat this or do some other method?
SonicMailer Pro - Professional mailing list manager & award-winning email marketing software
Download a FREE 30-day trial today!
Use coupon savemoreon4 and save 10%!
JeevesBond posted this at 09:54 — 12th January 2007.
He has: 3,956 posts
Joined: Jun 2002
I think what FrankR is saying is that this information is not stored on the client machine, it's stored on the server (in the /tmp directory). The only thing stored on the client is the sessionid. You don't need to use MySQL to store your session information: that's what FrankR is saying, you can use a server side cookie instead.
If you did put more information into your client side cookie (and treat that as being reliable) then yes, you are asking for trouble.
Never trust what the client sends you! Using $_SESSION will not lead to anything other than the sessionid being stored on the client.
a Padded Cell our articles site!
FrankR posted this at 12:12 — 12th January 2007.
He has: 45 posts
Joined: Oct 2006
That's exactly what I am saying. Additionally, JavaScript can be used to steal the sessionid from the cookie on the users machine if any user-supplied content with code is allowed. It is all too common!
Frank
Author of SQL Converter for Excel, which is an Excel add-in for converting data to MySQL.
Want to join the discussion? Create an account or log in if you already have one. Joining is fast, free and painless! We’ll even whisk you back here when you’ve finished.