Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 423
  • Last Modified:

Is $_SESSION safe ?

Are the vars stored in $_SESSION safe ? Is there any way a malicious user could change them?
0
brightwood
Asked:
brightwood
3 Solutions
 
RoonaanCommented:
Session data can be stored in session files that are accessible for other users on your servers. Especially when you are in shared hosting environment, you should use session_save_path() function, to make sure that your sites sessions are stored on your webspace and are inaccessible to other server users.

-r-
0
 
Raynard7Commented:
Yes - they are safe - they are saved on our server and as such can not be modified, however you must be wary that it is a possibility that someone may replicate the session header and thus access the same session avariables as someone else that is currently using that session - this is a remote possibility, you can do things to stop it such as verifying the IP to the one saved in the session - if you use https however this would also eliminate this problem.
0
 
brightwoodAuthor Commented:
At this time I'm just using session variables without session_save_path() or without verifying anything. And I'm not using https.

Obviously this isn't safe and I'm looking further to improve my security.

I'm quite new at this, so I'd like some help to use session_save_path() and to check the IP to the one saved in the session.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
KarlPurkhardtCommented:
A good way to validate sessions is to store a unique ID in a cookie and in the session and then validate the user's unique ID (Stored in the cookie) against the session unique ID.  for example, when creating the session

$unique_id = md5(rand(1,999) . time());

$_SESSION['UniqueId'] = $unique_id;
$_SESSION['RemoteAddr'] = $_SERVER['REMOTE_ADDR'];

setcookie('UniqueId', $unique_id, time() + 123456789);

then when you want to verify the user:

if (($_SESSION['UniqueId'] != $_COOKIE['UniqueId']) ||
    ($_SESSION['RemoteAddr'] != $_SERVER['REMOTE_ADDR']))
{
      echo 'Session has been destroyed as a security measure;
     session_destroy();
     setcookie('UniqueId', '', time());
}

Basically what this does is creatre a unique Id when the session is created and stores this in the session and on the users computer using a cookie.  Then, when we want to verify the user we simply compare the unique Id stored in the session against the unique Id stored on the users computer (in their cookie).  If these two don't match we can presume that the user is trying to access someone elses session so we destory the session.  I've also added the RemoteAddr to add an extra level of security, again, this is stored in the session and compared against the users remove address when we want to verify.

Hope that helps.
0
 
Aamir SaeedCommented:
I found this site very helpful regarding session security
http://phpsec.org/projects/guide/4.html
0
 
brightwoodAuthor Commented:
Thanks for the input KarlPurkhardt. But how I can check if session is already created, so I won't create a new uniqueid and a new cookie everytime my page reloads ?
0
 
brightwoodAuthor Commented:
Basically when my page loads I want to check if session exists.
- if it doesn't exist: I create the unique id and the cookie.
- if it exists: verify user
0
 
brightwoodAuthor Commented:
I worked this piece of code:

   if ( isset($_SESSION['UniqueId']) ) {
            if (($_SESSION['UniqueId'] != $_COOKIE['UniqueId']) ||
                  ($_SESSION['RemoteAddr'] != $_SERVER['REMOTE_ADDR']))
            {
                   session_destroy();
                   setcookie('UniqueId', '', time());
                   echo '<script language="JavaScript"> window.location.search = ""; </script>';
            }
   } else {
            $unique_id = md5(rand(1,999) . time());
            
            $_SESSION['UniqueId'] = $unique_id;
            $_SESSION['RemoteAddr'] = $_SERVER['REMOTE_ADDR'];
            
            setcookie('UniqueId', $unique_id, time() + 123456789);
   }

Is is good ?
0
 
KarlPurkhardtCommented:
Yes that looks fine, although you may want to add another check for the cookie being set, incase the user clears their cookies.  You may also want to change the 123456789 to something a little more practical, atm that is set to keep the cookie for almost 4 years :)

0
 
brightwoodAuthor Commented:
How I can check if cookie is set please ?
0
 
KarlPurkhardtCommented:
change:

 if ( isset($_SESSION['UniqueId']) ) {

to  
if  (isset($_SESSION['UniqueId'])  && isset($_COOKIE['UniqueId'])) {
0
 
brightwoodAuthor Commented:
Got It working I guess, thanks a lot for help.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now