Can SESSION variables be spoofed/hijacked?

speedphreak

Question is pretty straight forward. WHat are the odds of spoofing/hijacking session vars? What are some ways to help protect against this? Thanks.

keith73

Session vars or the session ID?

The session ID can be hijacked if it is in a url and someone other than the user sees that URL. If it's in a cookie, then only if the cookie is sniffed somehow.

It isn't likely that a session ID can be spoofed, PHP creates a file of the same name as the session ID which is a long string of random chars. If there is no file with that ID, you'll get an error.

The session variables are stored in that file, so they shouldn't be available unless your code somehow permits the wrong user to see the information.

keith

tomhath

There are security holes with cookies if register globals is on:

http://www.zend.com/manual/security.registerglobals.php

http://faq.ozoneasylum.com/FaqWiki/shownode.php?id=830&sortby=rating