PHP Session Data: How Secure?

Discussion in 'Web Design and Development' started by ppc_michael, Jun 19, 2008.

  1. ppc_michael Guest

    ppc_michael

    Joined:
    Apr 26, 2005
    Location:
    Los Angeles, CA
    #1
    Are there any methods/plugins that allow users to view or change PHP session variables client-side?

    Basically I'm wondering how worried I should be about users hacking session data to try to access other peoples' accounts in a login/account system I'm writing.
     
  2. angelwatt Moderator emeritus

    angelwatt

    Joined:
    Aug 16, 2005
    Location:
    USA
    #2
    I would not rely solely on session variables. They are not secure and can be faked as I have found with my contact form. I wasn't trying to do anything secure there, but did notice spambots were able to fake sessions. Though it would take more effort for them to intercept someone else's session and get that data. That's why sessions data is usually set to expire in a minutes/hours. So yeah, don't store any personal information in session variables if possible.

    Some ways to help make sessions more secure
     
  3. ppc_michael thread starter Guest

    ppc_michael

    Joined:
    Apr 26, 2005
    Location:
    Los Angeles, CA
    #3
    Oh cool! Thanks, I really appreciate those links.
     
  4. SrWebDeveloper macrumors 68000

    SrWebDeveloper

    Joined:
    Dec 7, 2007
    Location:
    Alexandria, VA, USA
    #4
    I want to strongly, strongly suggest you take a very close look at the first link Angelwatt listed. That comes from a site I use regularly to find open source object oriented solutions (classes) for PHP. The class is excellent, the author won an innovator award for it and he is one of the better developers sharing code out there. Implement his class and you've eliminated most of the hard work. So I am seconding that advice, big time.

    Your primary concern is session hijacking, and good session handling involves passing encrypted values between pages with a fingerprint or key generated and stored server side (through one of countless means) for each session user and their session data. The 5th link (phpsec.org's article) is superb reading on that specific subject.

    -jim
     

Share This Page