Quick Question.

I am implementing a log on mechanism and I plan to use session variables to save credentials once authenticated. I was reading in the book Advanced PHP Programming that you should encrypt any session data.

I dont understand why this encryption is needed, since the session data is stored on the server. Can someone explain to me the need for encryption. Can session data on the server be tampered with, or can a user falsify this data.

I understand that a user can hijack a session, but once they do that, how can they get to that data?

Thanks for any input
-dm12dm

Hi 12dm12

I'm no expert, but I would imagine the encryption is to prevent hackers from stealing the data during transfer from client to server and vice versa. Depending on how you organize the data transfer, it may be flying through the ether as plain text, e.g. as part of the URL.

Once it's on the server, it's a lot safer, at least in theory.

HTH

Norman

Yeah, thats the thing as far as I understand the session data doesnot get sent. The only thing that gets sent is the session ID through a cookie. So the only possible problem I see is someone modifying the cookie to a Session ID they think is currently active on the server.

Is this correct??

It is possible to steal a user session. the best way to combat this is to check the IP of the clients is the same as when the session was created.

If the IP's do not match then fail.

check
http://www.phpclasses.org/browse/package/2276.html
for more info.

HTH

It also depends on how old the book is. Early implementation s of sessions in php were mauch easier to crack and very early implementations were frankly transparent.