This may be a stupid question but can a user change the content of a session? Its seems to me like a user would be able to do that as it is saved in cookies...

    The "cookie" that actually contains the $_SESSION data is on the server, though.

    So, the client shouldn't ever be able to change the data in the session, unless you as the programmer allow them to do so (which we assume is the point) --- however, you must code in a secure manner, so that the bad boyz can't utilize the framework of your app (or the lack of it) to alter things without your consent.

    Sessions do use cookies, but only to hold the SESSION_ID on the remote (client) machine. There are only a couple of dangers there: one, that someone would change the value of the SESSION_ID and get into someone else's session; two, that someone would sniff the SESSION_ID as it goes over the wire and intercept ("get into", what a concept, but you know what I mean) the session. In both cases, this isn't what NORMAL users would do. But, security isn't about NORMAL users quite often, is it?

    HTH,

      Originally posted by dalecosp
      But, security isn't about NORMAL users quite often, is it?

      Exactly 😉
      I'm not using sessions to log in users (Should I?) I use them to transfer db stuff (Like ID's) from page to page and I wanted to know if I should take care of sqlinjection.
      Thanks

        Don't know that there's much to worry about there, then, as long as register_globals is "OFF".

          maybe this will help you understand more how sessions work, it is more complex than i will write, but i will simplify it for sake of clarity

          when you call session_start(),
          php checks if the user sent a cookie to the the server. if so, it looks at the cookie and if it contains a valid session id, it uses that id.

          lets say our session id is:
          234jn42kj3n4j234jk213n4j2n

          so, php will now look in the directory where it keeps its sessions files

          if it can find a file named
          sess_234jn42kj3n4j234jk213n4j2n

          it will load that file into the session. all the data is kept in that file, the only
          thing the user ever gets, is a session id

          so they cannot add "data" into thier cookie and have it affect data in the session, because php will only use the data from the session file it created specifically for that session id.

          think of it like going into an office, and saying hello my name is 'foobar'. they
          would then check thier file cabinet, and if they can find a file for someone
          named foobar, they grab the file, and then they use the data in the file for
          whatever they need to do. if they cannot find a file for someone named 'foobar',
          they would then create a new file, give it a unique name, and then tell you
          "your new name is fdgsdfgdfgsdfgxhjlkdmkf". whenever you come back to visit us again, make sure to tell us this name.

          they never give the file to you, its for thier own
          internal use only, so you will never be able to modify the contents of the file.
          only they can access the file and make changes to it.

          as far as sql injection goes, theres really only 1 answer to that. you ABSOLUTELY MUST thouroughly validate and check ALL data that comes from the user before you accept it, or use it in any way. this goes not only for data you will put into a database, but ALL data that comes from a user, period. dont even store data into a session until you verify it is safe

          hope that helps

            Write a Reply...