Is it safe to pass session variables???

Davidc316

Hi,
As we all know, there are a number of different ways of passing variables from one page to the next. But, I'm curious to know... when you pass a variable via a session... is there NO CHANCE at all that a user can alter that variable?

ScubaKing22

If it's passed through GET, then yes they could. Through POST, an average Jo Shmo couldn't, but then there's always exploits, hackers, etc.

ahundiak

Since session variables stay on the server (and thus use neither GET nor POST) then they are reasonably secure. A cracker would have to gain access to your web server to get at them.

ScubaKing22

Well actually they can use GET; notice in the address bar up top ^{^?} That big long number & letter combination next to s= is the session ID, which as far as I know is a session variable. But yes, you are right. Editing that would only change the GET variable s, not the actual session variable. Not many people, however, pass session variables through GET, so yes it is pretty secure.

Davidc316

But hang on- there are no session variable on the address bar at the top.

When I use sessions the URLs remain clean. It's just a case of using session_start() at the start of each script.

So, with that in mind... where's the risk? I mean, at what point can a user ever view a session ID? In my case it's certainly not from the URL.

Norman_Graham

Hi David

I know I promised to leave you in peace for ever more, but I'd like to try and make amends for previous offence caused.

I've just been reading up on session handling in the manual. I have no experience as yet, but from what I can make out, the session ID is stored in a flat file according to the path specified in php.ini. The standard for Win is c:\temp or similar. This only becomes a problem if the user is using a public computer (net café, work etc.), which would mean that the next user could be recognised as the previous user and, potentially, gain access to settings and info to which he shouldn't have access.

However, what you do about this I don't know. One obvious solution is SSL, which you'll probably want anyway if you're dealing with money transactions. Any other solutions (using cookies and then deleting them at the end of the session) will of course mean that the information will not be stored for the next time the user accesses the site. But I'm getting a bit out of my depth here.

HTH

Norman

ahundiak

Norman is sort of close but not quite there.

The session id is merely some sort of unique number/string which in turn is used to load session information for a given session. In other words, it's used to distingush one user from another.

The session id has to somehow come from the client because the server itself does not remember who made what request. Typically, the session id is stored as a cookie on the client. But it could be stored in POST or GET data.

So given that the session id is stored on the client and is transmitted to the server on each request then it is possible for someone to intercept it. This in turn could allow that someone to pretend to be another user. It's not real easy to intercept a session id (unless you have direct access to the clients computer) but it can be done.

There are some things that can be done to help protect against session hijacking. You can for example store the ip address of the client's computer in the session data and check that it has not changed. Not a perfect solution (ip's can be spoofed plus users behind firewalls often share the same public ip) but it helps.

Finally, note that having a session id does not automatically give the client the ability to directly modify session data. They still need to go through your web application so session data itself is secure unless you allow the user to change it.

Davidc316

Thanks for that- one and all.

I have a problem though... when I pass the session id to the URL using print SID, then on first attempt it works fine and I get a URL with a nice long session ID attatched to it. But when I hit page refresh, suddenly the session ID disappears. It that something that I should be worried about?

Norman_Graham

I don't think so ... as I understand it, that's what should happen anyway - the SID disappears when you refresh (assuming it's just added using GET). If you want it to persist after refresh, you'll have to use another method ... I think.

Sorry not to be more knowledgeable.

Norm

Davidc316

That's what I was hoping to hear and I suppose it makes sense.

After all, by the time you've hit refresh, the session ID has already been passed to the page and their is no longer any need to store the SID in the URL.

Thanks for that

Norman_Graham

Hi David

I just ran across this post from today - there are some good basic code examples in there, I believe: http://www.phpbuilder.com/board/showthread.php?s=&threadid=10251128

HTH

Norm