Solved

PHP:  Are sessions variables safe?

Posted on 2010-08-23
8
302 Views
Last Modified: 2013-12-13
Hi All,

Are PHP session variables safe?

I.e. is there a way the someone to read them or change them?



Thanks in Adv
0
Comment
Question by:detox1978
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 34

Assisted Solution

by:Beverley Portlock
Beverley Portlock earned 167 total points
ID: 33505367
"Are PHP session variables safe?"

In general - yes.

"I.e. is there a way the someone to read them or change them?"

Yes there is. The best way is a XSS attack. Read this http://www.owasp.org/index.php/Session_hijacking_attack for more info. (scroll down a bit)

0
 
LVL 7

Assisted Solution

by:mcuk_storm
mcuk_storm earned 84 total points
ID: 33505384
By default PHP stores session data in files on disk which if someone has access to the server file system and the permissions are not setup correctly they could view and change this data quite easily, from a normal end user perspective providing your scripts are secure a client should not be able to edit their session data directly.

You can write your own session handler for PHP to store session data somewhere else or encrypt it if you require.

0
 
LVL 34

Accepted Solution

by:
Beverley Portlock earned 167 total points
ID: 33505445
Remember that PHP security is a LAYERED thing. There is no one single fix that turns security on and locks it down tight.

In general, sessions are secure unless you leave a hole elsewhere. XSS attacks work in PHP when you let javascript get posted into an HTML input field so this

<input name='whoops' type='text' />
...
echo $_POST['whoops'];

is insecure because I could enter <script>....malicious code ...</script> whereas this

<input name='whoops' type='text' />
...
echo strip_tags($_POST['whoops']);

is more secure because it eliminates javascript from the input stream. PHP can bit you on the bum in surprising ways, for instance the whole $_SERVER array is injectable by javascript and $_REQUEST is easily manipulated as well. So never, ever do

$aaa = $_SERVER['PHP_SELF'];

always

$aaa = strip_tags($_SERVER['PHP_SELF']);

Also, read up on the FILTER mechanisms in PHP 5.2+

http://www.php.net/filter_var



0
WordPress Tutorial 4: Recommended Plugins

Now that you have WordPress installed, understand the interface, and know how to install new parts, let’s take a look at our recommended plugins.

 
LVL 83

Assisted Solution

by:Dave Baldwin
Dave Baldwin earned 83 total points
ID: 33505476
They are pretty safe.  About the only thing you can do to make them safer is SSL/HTTPS connections so the data can't be (easily) sniffed.  Note that all the methods to break in require 'abnormal' access.  One other that isn't mentioned there is if they have gained root or admin access to the server.  Then nothing is safe.

Safety is generally proportional to the amount of money involved.  If there is no money involved, people won't generally spend a lot of effort to break in to your site.  If you were running a bank website, you would have people working fulltime to protect your data from the other people who are working fulltime to get it.
0
 
LVL 27

Assisted Solution

by:Cornelia Yoder
Cornelia Yoder earned 83 total points
ID: 33505543
That's why they got invented ... to have a SAFE way to pass data between scripts.
0
 
LVL 2

Author Comment

by:detox1978
ID: 33505573
Thanks for the info.

I'm currently sending data over SSL.

I'll do a bit more reading up on it, but it seems like its fairly safe.
0
 
LVL 110

Assisted Solution

by:Ray Paseur
Ray Paseur earned 83 total points
ID: 33505883
Are you storing nuclear codes, financial data, medical records, or fishing statistics?  The scale of protection might range from armed military to password authentication.

Sessions use cookies.  So a client can log in on a public computer at the library and wander away.  While he is in the mens room, an interloper can walk up to the computer.  That guy's session is not safe.   But most sessions are safe enough for most activities like shopping carts, etc.

If you're already using SSL and you have your own server (no shared hosting) and you trust the guys in the computer room, you're on firm ground.  OTOH, the threats are always changing so it is a good idea to run this search every so often...
http://lmgtfy.com?q=PHP+Security

Sidebar note: PHP sessions are safe enough for Facebook, Yahoo, and lots of other sites.
Best, ~Ray
0
 
LVL 2

Author Comment

by:detox1978
ID: 33506235
Hi Ray,

I've created a CMS aplication for my clients to manage their websites and I was thinking of allowing public signups.



D

0

Featured Post

WordPress Tutorial 1: Installation & Setup

WordPress is a very popular option for running your web site and can be used to get your content online quickly for the world to see. This guide will walk you through installing the WordPress server software and the initial setup process.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Author Note: Since this E-E article was originally written, years ago, formal testing has come into common use in the world of PHP.  PHPUnit (http://en.wikipedia.org/wiki/PHPUnit) and similar technologies have enjoyed wide adoption, making it possib…
Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
The viewer will learn how to dynamically set the form action using jQuery.
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question