Is $_SESSION safe ?

Are the vars stored in $_SESSION safe ? Is there any way a malicious user could change them?
brightwoodAsked:
Who is Participating?
 
KarlPurkhardtConnect With a Mentor Commented:
A good way to validate sessions is to store a unique ID in a cookie and in the session and then validate the user's unique ID (Stored in the cookie) against the session unique ID.  for example, when creating the session

$unique_id = md5(rand(1,999) . time());

$_SESSION['UniqueId'] = $unique_id;
$_SESSION['RemoteAddr'] = $_SERVER['REMOTE_ADDR'];

setcookie('UniqueId', $unique_id, time() + 123456789);

then when you want to verify the user:

if (($_SESSION['UniqueId'] != $_COOKIE['UniqueId']) ||
    ($_SESSION['RemoteAddr'] != $_SERVER['REMOTE_ADDR']))
{
      echo 'Session has been destroyed as a security measure;
     session_destroy();
     setcookie('UniqueId', '', time());
}

Basically what this does is creatre a unique Id when the session is created and stores this in the session and on the users computer using a cookie.  Then, when we want to verify the user we simply compare the unique Id stored in the session against the unique Id stored on the users computer (in their cookie).  If these two don't match we can presume that the user is trying to access someone elses session so we destory the session.  I've also added the RemoteAddr to add an extra level of security, again, this is stored in the session and compared against the users remove address when we want to verify.

Hope that helps.
0
 
RoonaanCommented:
Session data can be stored in session files that are accessible for other users on your servers. Especially when you are in shared hosting environment, you should use session_save_path() function, to make sure that your sites sessions are stored on your webspace and are inaccessible to other server users.

-r-
0
 
Raynard7Connect With a Mentor Commented:
Yes - they are safe - they are saved on our server and as such can not be modified, however you must be wary that it is a possibility that someone may replicate the session header and thus access the same session avariables as someone else that is currently using that session - this is a remote possibility, you can do things to stop it such as verifying the IP to the one saved in the session - if you use https however this would also eliminate this problem.
0
Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

 
brightwoodAuthor Commented:
At this time I'm just using session variables without session_save_path() or without verifying anything. And I'm not using https.

Obviously this isn't safe and I'm looking further to improve my security.

I'm quite new at this, so I'd like some help to use session_save_path() and to check the IP to the one saved in the session.
0
 
Aamir SaeedConnect With a Mentor Commented:
I found this site very helpful regarding session security
http://phpsec.org/projects/guide/4.html
0
 
brightwoodAuthor Commented:
Thanks for the input KarlPurkhardt. But how I can check if session is already created, so I won't create a new uniqueid and a new cookie everytime my page reloads ?
0
 
brightwoodAuthor Commented:
Basically when my page loads I want to check if session exists.
- if it doesn't exist: I create the unique id and the cookie.
- if it exists: verify user
0
 
brightwoodAuthor Commented:
I worked this piece of code:

   if ( isset($_SESSION['UniqueId']) ) {
            if (($_SESSION['UniqueId'] != $_COOKIE['UniqueId']) ||
                  ($_SESSION['RemoteAddr'] != $_SERVER['REMOTE_ADDR']))
            {
                   session_destroy();
                   setcookie('UniqueId', '', time());
                   echo '<script language="JavaScript"> window.location.search = ""; </script>';
            }
   } else {
            $unique_id = md5(rand(1,999) . time());
            
            $_SESSION['UniqueId'] = $unique_id;
            $_SESSION['RemoteAddr'] = $_SERVER['REMOTE_ADDR'];
            
            setcookie('UniqueId', $unique_id, time() + 123456789);
   }

Is is good ?
0
 
KarlPurkhardtCommented:
Yes that looks fine, although you may want to add another check for the cookie being set, incase the user clears their cookies.  You may also want to change the 123456789 to something a little more practical, atm that is set to keep the cookie for almost 4 years :)

0
 
brightwoodAuthor Commented:
How I can check if cookie is set please ?
0
 
KarlPurkhardtCommented:
change:

 if ( isset($_SESSION['UniqueId']) ) {

to  
if  (isset($_SESSION['UniqueId'])  && isset($_COOKIE['UniqueId'])) {
0
 
brightwoodAuthor Commented:
Got It working I guess, thanks a lot for help.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.