Solved

PHP:  Are sessions variables safe?

Posted on 2010-08-23
8
298 Views
Last Modified: 2013-12-13
Hi All,

Are PHP session variables safe?

I.e. is there a way the someone to read them or change them?



Thanks in Adv
0
Comment
Question by:detox1978
8 Comments
 
LVL 34

Assisted Solution

by:Beverley Portlock
Beverley Portlock earned 167 total points
ID: 33505367
"Are PHP session variables safe?"

In general - yes.

"I.e. is there a way the someone to read them or change them?"

Yes there is. The best way is a XSS attack. Read this http://www.owasp.org/index.php/Session_hijacking_attack for more info. (scroll down a bit)

0
 
LVL 7

Assisted Solution

by:mcuk_storm
mcuk_storm earned 84 total points
ID: 33505384
By default PHP stores session data in files on disk which if someone has access to the server file system and the permissions are not setup correctly they could view and change this data quite easily, from a normal end user perspective providing your scripts are secure a client should not be able to edit their session data directly.

You can write your own session handler for PHP to store session data somewhere else or encrypt it if you require.

0
 
LVL 34

Accepted Solution

by:
Beverley Portlock earned 167 total points
ID: 33505445
Remember that PHP security is a LAYERED thing. There is no one single fix that turns security on and locks it down tight.

In general, sessions are secure unless you leave a hole elsewhere. XSS attacks work in PHP when you let javascript get posted into an HTML input field so this

<input name='whoops' type='text' />
...
echo $_POST['whoops'];

is insecure because I could enter <script>....malicious code ...</script> whereas this

<input name='whoops' type='text' />
...
echo strip_tags($_POST['whoops']);

is more secure because it eliminates javascript from the input stream. PHP can bit you on the bum in surprising ways, for instance the whole $_SERVER array is injectable by javascript and $_REQUEST is easily manipulated as well. So never, ever do

$aaa = $_SERVER['PHP_SELF'];

always

$aaa = strip_tags($_SERVER['PHP_SELF']);

Also, read up on the FILTER mechanisms in PHP 5.2+

http://www.php.net/filter_var



0
Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

 
LVL 83

Assisted Solution

by:Dave Baldwin
Dave Baldwin earned 83 total points
ID: 33505476
They are pretty safe.  About the only thing you can do to make them safer is SSL/HTTPS connections so the data can't be (easily) sniffed.  Note that all the methods to break in require 'abnormal' access.  One other that isn't mentioned there is if they have gained root or admin access to the server.  Then nothing is safe.

Safety is generally proportional to the amount of money involved.  If there is no money involved, people won't generally spend a lot of effort to break in to your site.  If you were running a bank website, you would have people working fulltime to protect your data from the other people who are working fulltime to get it.
0
 
LVL 27

Assisted Solution

by:yodercm
yodercm earned 83 total points
ID: 33505543
That's why they got invented ... to have a SAFE way to pass data between scripts.
0
 
LVL 2

Author Comment

by:detox1978
ID: 33505573
Thanks for the info.

I'm currently sending data over SSL.

I'll do a bit more reading up on it, but it seems like its fairly safe.
0
 
LVL 109

Assisted Solution

by:Ray Paseur
Ray Paseur earned 83 total points
ID: 33505883
Are you storing nuclear codes, financial data, medical records, or fishing statistics?  The scale of protection might range from armed military to password authentication.

Sessions use cookies.  So a client can log in on a public computer at the library and wander away.  While he is in the mens room, an interloper can walk up to the computer.  That guy's session is not safe.   But most sessions are safe enough for most activities like shopping carts, etc.

If you're already using SSL and you have your own server (no shared hosting) and you trust the guys in the computer room, you're on firm ground.  OTOH, the threats are always changing so it is a good idea to run this search every so often...
http://lmgtfy.com?q=PHP+Security

Sidebar note: PHP sessions are safe enough for Facebook, Yahoo, and lots of other sites.
Best, ~Ray
0
 
LVL 2

Author Comment

by:detox1978
ID: 33506235
Hi Ray,

I've created a CMS aplication for my clients to manage their websites and I was thinking of allowing public signups.



D

0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
This article discusses four methods for overlaying images in a container on a web page
Learn how to match and substitute tagged data using PHP regular expressions. Demonstrated on Windows 7, but also applies to other operating systems. Demonstrated technique applies to PHP (all versions) and Firefox, but very similar techniques will w…
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question