PHP: Are sessions variables safe?

Hi All,

Are PHP session variables safe?

I.e. is there a way the someone to read them or change them?



Thanks in Adv
LVL 2
detox1978Asked:
Who is Participating?
 
Beverley PortlockCommented:
Remember that PHP security is a LAYERED thing. There is no one single fix that turns security on and locks it down tight.

In general, sessions are secure unless you leave a hole elsewhere. XSS attacks work in PHP when you let javascript get posted into an HTML input field so this

<input name='whoops' type='text' />
...
echo $_POST['whoops'];

is insecure because I could enter <script>....malicious code ...</script> whereas this

<input name='whoops' type='text' />
...
echo strip_tags($_POST['whoops']);

is more secure because it eliminates javascript from the input stream. PHP can bit you on the bum in surprising ways, for instance the whole $_SERVER array is injectable by javascript and $_REQUEST is easily manipulated as well. So never, ever do

$aaa = $_SERVER['PHP_SELF'];

always

$aaa = strip_tags($_SERVER['PHP_SELF']);

Also, read up on the FILTER mechanisms in PHP 5.2+

http://www.php.net/filter_var



0
 
Beverley PortlockCommented:
"Are PHP session variables safe?"

In general - yes.

"I.e. is there a way the someone to read them or change them?"

Yes there is. The best way is a XSS attack. Read this http://www.owasp.org/index.php/Session_hijacking_attack for more info. (scroll down a bit)

0
 
mcuk_stormCommented:
By default PHP stores session data in files on disk which if someone has access to the server file system and the permissions are not setup correctly they could view and change this data quite easily, from a normal end user perspective providing your scripts are secure a client should not be able to edit their session data directly.

You can write your own session handler for PHP to store session data somewhere else or encrypt it if you require.

0
Cloud Class® Course: Microsoft Exchange Server

The MCTS: Microsoft Exchange Server 2010 certification validates your skills in supporting the maintenance and administration of the Exchange servers in an enterprise environment. Learn everything you need to know with this course.

 
Dave BaldwinFixer of ProblemsCommented:
They are pretty safe.  About the only thing you can do to make them safer is SSL/HTTPS connections so the data can't be (easily) sniffed.  Note that all the methods to break in require 'abnormal' access.  One other that isn't mentioned there is if they have gained root or admin access to the server.  Then nothing is safe.

Safety is generally proportional to the amount of money involved.  If there is no money involved, people won't generally spend a lot of effort to break in to your site.  If you were running a bank website, you would have people working fulltime to protect your data from the other people who are working fulltime to get it.
0
 
Cornelia YoderArtistCommented:
That's why they got invented ... to have a SAFE way to pass data between scripts.
0
 
detox1978Author Commented:
Thanks for the info.

I'm currently sending data over SSL.

I'll do a bit more reading up on it, but it seems like its fairly safe.
0
 
Ray PaseurCommented:
Are you storing nuclear codes, financial data, medical records, or fishing statistics?  The scale of protection might range from armed military to password authentication.

Sessions use cookies.  So a client can log in on a public computer at the library and wander away.  While he is in the mens room, an interloper can walk up to the computer.  That guy's session is not safe.   But most sessions are safe enough for most activities like shopping carts, etc.

If you're already using SSL and you have your own server (no shared hosting) and you trust the guys in the computer room, you're on firm ground.  OTOH, the threats are always changing so it is a good idea to run this search every so often...
http://lmgtfy.com?q=PHP+Security

Sidebar note: PHP sessions are safe enough for Facebook, Yahoo, and lots of other sites.
Best, ~Ray
0
 
detox1978Author Commented:
Hi Ray,

I've created a CMS aplication for my clients to manage their websites and I was thinking of allowing public signups.



D

0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.