$_SESSION Security

spudmurf2k

Hi,

I use $_SESSION['user_id'] to pass around the current users id and was wondering is there any security implications of doing this? i.e. can you spoof or snoop a session, etc.

Thanks in advance,
Paddy.

halojoy

a session is a little cookie file
but unlike Browser cookies which are stored in the user PC

session cookies are stored in a secure special folder in Server PC harddrive
in this way to be used by website scripts at that serve host
the data does not have to be transfered from the users machine

so a session can be tested without sending data across internet
this makes session cookies a bit more safe than browser cookies

now i am sure there is more to it than this
but this is my thinking for a start
I almost never use $COOKIE
I always use $_SESSION when I need to keep an online user logged in

about $_SESSION read more at PHP Official Manual
http://php.net/session
There is several notes on security and use of session

Sessions and security

External links: Session fixation

The session module cannot guarantee that the information you store in a session is only viewed by the user who created the session. You need to take additional measures to actively protect the integrity of the session, depending on the value associated with it.

severndigital

i agree with halojoy.

depending on the security level of you site, $_sessions should work fine.

I am currently writing code that handles authentication on the db level.

basically;
1. logs the users IP
2. logs the time at login
3. generates a random number which is removed from the database on timeout/logout.

then enters all of the information along with the username into a database.

then i use the $_session variable to house the username.

when i call the $_session later i run it through some vaildation to
check that the users IP address matches what's in the db.

and also to make sure that the random number is housed in the db. if this field is empty the script kicks out with an error.

since the username $_session and the IP address can be faked, i had to come up with a solution to counter act this.

the addition of the random number seems to work well.

hope that helps.

spudmurf2k

Thanks, I thought that alright, just wanted to make sure it was the most watertight way of doing things.

MarkR

I should point out that allowing session IDs to be provided by query string, is insecure and allows session fixation and other attacks.

I would strictly recommend enabling session.use_only_cookies to prevent this.

Mark

spudmurf2k

MarkR wrote:
allowing session IDs to be provided by query string, is insecure and allows session fixation and other attacks.

Do you mean passing it as a GET string like index.php?sess_id=0e34jh3b54j3hb4b4j34hb sort of thing? I only use session_start(), so no worries if that's what you mean.

Is it not possible to maybe spoof the cookie with someone elses session_id (God knows how you'd get it though - but where there's a will . . .)