How secure are sessions?

Nijhazer

I'm currently writing a number of scripts in PHP for a website I'm developing. This is the first PHP-based website I've ever designed. The administration pages for the site are protected using session control; two session variables, username and rank, get registered if the database authentication records match up with what's input into the login page. None of the pages are shown to the user unless the session variables are registered and the "rank" variable is above a certain level.

My question is, how secure are PHP sessions? I'm concerned about the possibility of my site being hacked. It's not a site that would lend itself to hacking, but nevertheless I want it to be as secure as possible. As my web server is taken care of by a hosting provider, the only area where I can enforce security is in my scripts, and I want them to be secure.

-Nij

flameche

To use session, php sends a session cookie to the browser and stores data into a file on the web server. The location of that file should not be visible to anybody else but your web server.

Cookies information can be modified by any user to reflect someone else's session id but that possibility is not likely to happen. As far as i know, the cookies file is loaded only once by the browser when you open it. If you want cookies to be reloaded, you may need to close your browser and reopen it. Closing your browser will kill any http 1.1 persistent connection so the session will be closed as well and the data discarded ( I'm not sure about that ). If not discarded il will expire after a certain time as configured in your php.ini ( session.cookie_lifetime and al ).

I also think that php tries to emulate session cookies by adding a get/post variable that contains the session id to your links. That variable could be modified to reflect another known active session id ( if any way to find one ).

Nijhazer

Wow, great answer. I feel a lot better about it now.

I do have some more questions about sessions but I think I can find the answers to those in the PHP docs, so... thanks much!

planetsim

if your sessions are set up right, no session hijacking can occur, but remember if your site is popular and has lots of information people would steal. You'd need to be extra careful, If so then you should have sessions and cookies, getting IP etc.. then it'd be safe... But then again, most sites arent Microsoft and dont need Hacking