more session questions

zmola

been reading the manual. do i have this right?

1: with register_globals set to on i can use all session stuff.

2: with register_globals set to off i cannot use session_register, session_is_registered, and session_unregister, but all other session stuff is still okay to use.

3: if (2) then use $_SESSION stuff.

4: question - is $_SESSION stuff always available?

zmola

5: been reading http://www.php.net/manual/en/security.registerglobals.php and am wondering does using $SESSION mean that the following edited example (example 5-15 at the above link) is true, true as in the // comment?

<?php
if($_SESSION['username']){
    // can only come from a session, forged or otherwise <-- true?
    $good_login = 1;
    fpassthru ("/highly/sensitive/data/index.html");
}
?>

Weedpacket

Use

if(isset($_SESSION['username']))

This will only be true if the session data contains something called 'username'. That data is stored on the server, and only a session ID is sent to the client.

It's possible for someone else to steal that session ID from someone else, but if they don't use it fairly soon, the server will delete the data anyway, and the stolen session ID will be invalid.

The other exploit I can think of would be to store fake session data on the server, but basic scripting security (preventing them from uploading a file called "/tmp/sess_2b4ed124c3e741213bb8d0187063c217", basically)
would mean they'd have to actually crack the server itself to do so, and if they can do that then session hijacking is the least of your worries!

It's better to double-check the contents of the session variable against the user database; as well - it's as easy to do as not, so why not?

zmola

thank you very much Weedpacket!