Session Security

tiburblium

Hi all, this is sort of an open ended question but how secure are php sessions? I use a script like this to initially start the sessions:

Database connection;
Compare password and username in database;
if (comparison == true)
{
issue a session
}
else
{
exit
}

Im pretty sure that is secure but just how secure are my pages that require a session to access? such as this:

if (session is regestered)
{
//private information goes here

}
else
{
exit;
}

Is there a way to falsify the headers to change session variables so that you can access session pages without logging in?

Thank

yelvington

Sessions are as secure as the network and your server, but you need to understand how they work.

Session data is stored on the server, by default in files. If your server access is shared, then the data may be readable by others.

The session key (session ID) is transmitted on the wire in cleartext, as a cookie or as a part of the URL.

If the network is not secure, and you're not running all of this over an encrypted connection, then theoretically a session can be hijacked by a "man in the middle." Unlikely but possible.

Session IDs are not predictable, not sequential, and in a practical sense not guessable.

tiburblium

Great thanks thats what I was hoping to hear. Any books or articles you recommend reading on how php sessions work? Also for encyrption Im using 128 bit ssl which is probably overkill considering the content but should keep everything nice and jumbled