Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Is $_SESSION safe ?

Posted on 2006-10-29
12
Medium Priority
?
419 Views
Last Modified: 2010-05-18
Are the vars stored in $_SESSION safe ? Is there any way a malicious user could change them?
0
Comment
Question by:brightwood
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
12 Comments
 
LVL 49

Expert Comment

by:Roonaan
ID: 17828390
Session data can be stored in session files that are accessible for other users on your servers. Especially when you are in shared hosting environment, you should use session_save_path() function, to make sure that your sites sessions are stored on your webspace and are inaccessible to other server users.

-r-
0
 
LVL 35

Assisted Solution

by:Raynard7
Raynard7 earned 400 total points
ID: 17828393
Yes - they are safe - they are saved on our server and as such can not be modified, however you must be wary that it is a possibility that someone may replicate the session header and thus access the same session avariables as someone else that is currently using that session - this is a remote possibility, you can do things to stop it such as verifying the IP to the one saved in the session - if you use https however this would also eliminate this problem.
0
 

Author Comment

by:brightwood
ID: 17828426
At this time I'm just using session variables without session_save_path() or without verifying anything. And I'm not using https.

Obviously this isn't safe and I'm looking further to improve my security.

I'm quite new at this, so I'd like some help to use session_save_path() and to check the IP to the one saved in the session.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 4

Accepted Solution

by:
KarlPurkhardt earned 1400 total points
ID: 17829175
A good way to validate sessions is to store a unique ID in a cookie and in the session and then validate the user's unique ID (Stored in the cookie) against the session unique ID.  for example, when creating the session

$unique_id = md5(rand(1,999) . time());

$_SESSION['UniqueId'] = $unique_id;
$_SESSION['RemoteAddr'] = $_SERVER['REMOTE_ADDR'];

setcookie('UniqueId', $unique_id, time() + 123456789);

then when you want to verify the user:

if (($_SESSION['UniqueId'] != $_COOKIE['UniqueId']) ||
    ($_SESSION['RemoteAddr'] != $_SERVER['REMOTE_ADDR']))
{
      echo 'Session has been destroyed as a security measure;
     session_destroy();
     setcookie('UniqueId', '', time());
}

Basically what this does is creatre a unique Id when the session is created and stores this in the session and on the users computer using a cookie.  Then, when we want to verify the user we simply compare the unique Id stored in the session against the unique Id stored on the users computer (in their cookie).  If these two don't match we can presume that the user is trying to access someone elses session so we destory the session.  I've also added the RemoteAddr to add an extra level of security, again, this is stored in the session and compared against the users remove address when we want to verify.

Hope that helps.
0
 
LVL 14

Assisted Solution

by:Aamir Saeed
Aamir Saeed earned 200 total points
ID: 17829372
I found this site very helpful regarding session security
http://phpsec.org/projects/guide/4.html
0
 

Author Comment

by:brightwood
ID: 17832891
Thanks for the input KarlPurkhardt. But how I can check if session is already created, so I won't create a new uniqueid and a new cookie everytime my page reloads ?
0
 

Author Comment

by:brightwood
ID: 17832928
Basically when my page loads I want to check if session exists.
- if it doesn't exist: I create the unique id and the cookie.
- if it exists: verify user
0
 

Author Comment

by:brightwood
ID: 17833049
I worked this piece of code:

   if ( isset($_SESSION['UniqueId']) ) {
            if (($_SESSION['UniqueId'] != $_COOKIE['UniqueId']) ||
                  ($_SESSION['RemoteAddr'] != $_SERVER['REMOTE_ADDR']))
            {
                   session_destroy();
                   setcookie('UniqueId', '', time());
                   echo '<script language="JavaScript"> window.location.search = ""; </script>';
            }
   } else {
            $unique_id = md5(rand(1,999) . time());
            
            $_SESSION['UniqueId'] = $unique_id;
            $_SESSION['RemoteAddr'] = $_SERVER['REMOTE_ADDR'];
            
            setcookie('UniqueId', $unique_id, time() + 123456789);
   }

Is is good ?
0
 
LVL 4

Expert Comment

by:KarlPurkhardt
ID: 17833640
Yes that looks fine, although you may want to add another check for the cookie being set, incase the user clears their cookies.  You may also want to change the 123456789 to something a little more practical, atm that is set to keep the cookie for almost 4 years :)

0
 

Author Comment

by:brightwood
ID: 17833799
How I can check if cookie is set please ?
0
 
LVL 4

Expert Comment

by:KarlPurkhardt
ID: 17833902
change:

 if ( isset($_SESSION['UniqueId']) ) {

to  
if  (isset($_SESSION['UniqueId'])  && isset($_COOKIE['UniqueId'])) {
0
 

Author Comment

by:brightwood
ID: 17837054
Got It working I guess, thanks a lot for help.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Build an array called $myWeek which will hold the array elements Today, Yesterday and then builds up the rest of the week by the name of the day going back 1 week.   (CODE) (CODE) Then you just need to pass your date to the function. If i…
Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
Learn how to match and substitute tagged data using PHP regular expressions. Demonstrated on Windows 7, but also applies to other operating systems. Demonstrated technique applies to PHP (all versions) and Firefox, but very similar techniques will w…
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question