Solved

PHP:  Are sessions variables safe?

Posted on 2010-08-23
8
295 Views
Last Modified: 2013-12-13
Hi All,

Are PHP session variables safe?

I.e. is there a way the someone to read them or change them?



Thanks in Adv
0
Comment
Question by:detox1978
8 Comments
 
LVL 34

Assisted Solution

by:Beverley Portlock
Beverley Portlock earned 167 total points
ID: 33505367
"Are PHP session variables safe?"

In general - yes.

"I.e. is there a way the someone to read them or change them?"

Yes there is. The best way is a XSS attack. Read this http://www.owasp.org/index.php/Session_hijacking_attack for more info. (scroll down a bit)

0
 
LVL 7

Assisted Solution

by:mcuk_storm
mcuk_storm earned 84 total points
ID: 33505384
By default PHP stores session data in files on disk which if someone has access to the server file system and the permissions are not setup correctly they could view and change this data quite easily, from a normal end user perspective providing your scripts are secure a client should not be able to edit their session data directly.

You can write your own session handler for PHP to store session data somewhere else or encrypt it if you require.

0
 
LVL 34

Accepted Solution

by:
Beverley Portlock earned 167 total points
ID: 33505445
Remember that PHP security is a LAYERED thing. There is no one single fix that turns security on and locks it down tight.

In general, sessions are secure unless you leave a hole elsewhere. XSS attacks work in PHP when you let javascript get posted into an HTML input field so this

<input name='whoops' type='text' />
...
echo $_POST['whoops'];

is insecure because I could enter <script>....malicious code ...</script> whereas this

<input name='whoops' type='text' />
...
echo strip_tags($_POST['whoops']);

is more secure because it eliminates javascript from the input stream. PHP can bit you on the bum in surprising ways, for instance the whole $_SERVER array is injectable by javascript and $_REQUEST is easily manipulated as well. So never, ever do

$aaa = $_SERVER['PHP_SELF'];

always

$aaa = strip_tags($_SERVER['PHP_SELF']);

Also, read up on the FILTER mechanisms in PHP 5.2+

http://www.php.net/filter_var



0
 
LVL 82

Assisted Solution

by:Dave Baldwin
Dave Baldwin earned 83 total points
ID: 33505476
They are pretty safe.  About the only thing you can do to make them safer is SSL/HTTPS connections so the data can't be (easily) sniffed.  Note that all the methods to break in require 'abnormal' access.  One other that isn't mentioned there is if they have gained root or admin access to the server.  Then nothing is safe.

Safety is generally proportional to the amount of money involved.  If there is no money involved, people won't generally spend a lot of effort to break in to your site.  If you were running a bank website, you would have people working fulltime to protect your data from the other people who are working fulltime to get it.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 27

Assisted Solution

by:yodercm
yodercm earned 83 total points
ID: 33505543
That's why they got invented ... to have a SAFE way to pass data between scripts.
0
 
LVL 2

Author Comment

by:detox1978
ID: 33505573
Thanks for the info.

I'm currently sending data over SSL.

I'll do a bit more reading up on it, but it seems like its fairly safe.
0
 
LVL 108

Assisted Solution

by:Ray Paseur
Ray Paseur earned 83 total points
ID: 33505883
Are you storing nuclear codes, financial data, medical records, or fishing statistics?  The scale of protection might range from armed military to password authentication.

Sessions use cookies.  So a client can log in on a public computer at the library and wander away.  While he is in the mens room, an interloper can walk up to the computer.  That guy's session is not safe.   But most sessions are safe enough for most activities like shopping carts, etc.

If you're already using SSL and you have your own server (no shared hosting) and you trust the guys in the computer room, you're on firm ground.  OTOH, the threats are always changing so it is a good idea to run this search every so often...
http://lmgtfy.com?q=PHP+Security

Sidebar note: PHP sessions are safe enough for Facebook, Yahoo, and lots of other sites.
Best, ~Ray
0
 
LVL 2

Author Comment

by:detox1978
ID: 33506235
Hi Ray,

I've created a CMS aplication for my clients to manage their websites and I was thinking of allowing public signups.



D

0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Both Easy and Powerful How easy is PHP? http://lmgtfy.com?q=how+easy+is+php (http://lmgtfy.com?q=how+easy+is+php)  Very easy.  It has been described as "a programming language even my grandmother can use." How powerful is PHP?  http://en.wikiped…
This article will explain how to display the first page of your Microsoft Word documents (e.g. .doc, .docx, etc...) as images in a web page programatically. I have scoured the web on a way to do this unsuccessfully. The goal is to produce something …
Learn how to match and substitute tagged data using PHP regular expressions. Demonstrated on Windows 7, but also applies to other operating systems. Demonstrated technique applies to PHP (all versions) and Firefox, but very similar techniques will w…
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now