Geek Answers Handbook

Session variables can be fooled (login)?

In PHP: Is there a way for a user to fake a session variable?

Is it safe to believe in the value of the session variable for the login system?

+6
security php login session
source share
4 answers

Session data is stored on the server. Only the session identifier is passed back and forth between the client and server. If the server side of the script is not working (or there is an error), the client cannot directly modify the session data. But you have to make sure that only the โ€œcorrectโ€ client knows the session identifier, since it associates this particular client with a specific session. For example. (since you mentioned login) use session_regenerate_id () whenever login (attempt) is done to prevent session commit

+16
source share

Sessions are stored on your server either in a file or in memory. The user only contains a cookie that defines the path (usually a hash of some form) to the session data on your server. Theoretically, you can change the cookie to someoneโ€™s hash, but this is very very unlikely if you do not store them as files and do not delete them after they expire, in which case the likelihood that someone is using an old session, will increase.

+7
source share

Yes .. He called the session forge / capture.

You change the session cookie value until you get another user session.

+4
source share

To avoid storing session data on the server, you can sign the content that you want to protect from changes before saving the session, and then check immediately after retrieving from the session. In PHP, this process is reasonably simple and fixes server problems.

Please note that this does not protect session data from rendering. If you need this protection, you can still avoid storing on the server using secure encryption. Just be careful that virtually every encryption scheme based on the size of the key can be broken in the near future. Therefore, if you need to protect session data for, say, 5 years, the safe choice of key and algorithm can create performance problems.

0
source share

More articles:


All Articles