Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

PHP:  Are sessions variables safe?

Posted on 2010-08-23
8
Medium Priority
?
307 Views
Last Modified: 2013-12-13
Hi All,

Are PHP session variables safe?

I.e. is there a way the someone to read them or change them?



Thanks in Adv
0
Comment
Question by:detox1978
8 Comments
 
LVL 34

Assisted Solution

by:Beverley Portlock
Beverley Portlock earned 668 total points
ID: 33505367
"Are PHP session variables safe?"

In general - yes.

"I.e. is there a way the someone to read them or change them?"

Yes there is. The best way is a XSS attack. Read this http://www.owasp.org/index.php/Session_hijacking_attack for more info. (scroll down a bit)

0
 
LVL 7

Assisted Solution

by:mcuk_storm
mcuk_storm earned 336 total points
ID: 33505384
By default PHP stores session data in files on disk which if someone has access to the server file system and the permissions are not setup correctly they could view and change this data quite easily, from a normal end user perspective providing your scripts are secure a client should not be able to edit their session data directly.

You can write your own session handler for PHP to store session data somewhere else or encrypt it if you require.

0
 
LVL 34

Accepted Solution

by:
Beverley Portlock earned 668 total points
ID: 33505445
Remember that PHP security is a LAYERED thing. There is no one single fix that turns security on and locks it down tight.

In general, sessions are secure unless you leave a hole elsewhere. XSS attacks work in PHP when you let javascript get posted into an HTML input field so this

<input name='whoops' type='text' />
...
echo $_POST['whoops'];

is insecure because I could enter <script>....malicious code ...</script> whereas this

<input name='whoops' type='text' />
...
echo strip_tags($_POST['whoops']);

is more secure because it eliminates javascript from the input stream. PHP can bit you on the bum in surprising ways, for instance the whole $_SERVER array is injectable by javascript and $_REQUEST is easily manipulated as well. So never, ever do

$aaa = $_SERVER['PHP_SELF'];

always

$aaa = strip_tags($_SERVER['PHP_SELF']);

Also, read up on the FILTER mechanisms in PHP 5.2+

http://www.php.net/filter_var



0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 84

Assisted Solution

by:Dave Baldwin
Dave Baldwin earned 332 total points
ID: 33505476
They are pretty safe.  About the only thing you can do to make them safer is SSL/HTTPS connections so the data can't be (easily) sniffed.  Note that all the methods to break in require 'abnormal' access.  One other that isn't mentioned there is if they have gained root or admin access to the server.  Then nothing is safe.

Safety is generally proportional to the amount of money involved.  If there is no money involved, people won't generally spend a lot of effort to break in to your site.  If you were running a bank website, you would have people working fulltime to protect your data from the other people who are working fulltime to get it.
0
 
LVL 27

Assisted Solution

by:Cornelia Yoder
Cornelia Yoder earned 332 total points
ID: 33505543
That's why they got invented ... to have a SAFE way to pass data between scripts.
0
 
LVL 2

Author Comment

by:detox1978
ID: 33505573
Thanks for the info.

I'm currently sending data over SSL.

I'll do a bit more reading up on it, but it seems like its fairly safe.
0
 
LVL 111

Assisted Solution

by:Ray Paseur
Ray Paseur earned 332 total points
ID: 33505883
Are you storing nuclear codes, financial data, medical records, or fishing statistics?  The scale of protection might range from armed military to password authentication.

Sessions use cookies.  So a client can log in on a public computer at the library and wander away.  While he is in the mens room, an interloper can walk up to the computer.  That guy's session is not safe.   But most sessions are safe enough for most activities like shopping carts, etc.

If you're already using SSL and you have your own server (no shared hosting) and you trust the guys in the computer room, you're on firm ground.  OTOH, the threats are always changing so it is a good idea to run this search every so often...
http://lmgtfy.com?q=PHP+Security

Sidebar note: PHP sessions are safe enough for Facebook, Yahoo, and lots of other sites.
Best, ~Ray
0
 
LVL 2

Author Comment

by:detox1978
ID: 33506235
Hi Ray,

I've created a CMS aplication for my clients to manage their websites and I was thinking of allowing public signups.



D

0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I imagine that there are some, like me, who require a way of getting currency exchange rates for implementation in web project from time to time, so I thought I would share a solution that I have developed for this purpose. It turns out that Yaho…
There are times when I have encountered the need to decompress a response from a PHP request. This is how it's done, but you must have control of the request and you can set the Accept-Encoding header.
The viewer will learn how to count occurrences of each item in an array.
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …
Suggested Courses

885 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question