securing sessions ?

Support/Development for PHP
nobody
Forum Regular
Forum Regular
Posts: 349
Joined: Sun Mar 29, 2009 6:52 pm

securing sessions ?

Unread post by nobody »

Hello guys.

I am developing a php application. I validate users and keep many things stored in session.
Its the first time I do such a thing and I was wondering... Is there anyway someone can mess up with my sessions which are stored inside the server ? I dont use coocies at all for improved security. I should also note that I keep session files inside my private folder with 700 permission. But I wonder if someone could somehow inject the session files somehow...

Thanks
Hello IT.
Phone : Blah Blah ....
Have you tried turning it on and off again ?
Phone : Blah Blah ....
....
I'm sorry, are you from the Past ?!
http://www.youtube.com/watch?v=-E4fm4Wqego
Highland
Forum Regular
Forum Regular
Posts: 674
Joined: Mon Apr 10, 2006 12:55 pm

Re: securing sessions ?

Unread post by Highland »

I assume you're talking about session poisoning. It's possible because PHP lets the end user set their own session by declaring PHPSESSIONID=MYSESSIONID and, thus, your session_id() would return "MYSESSIONID", instead of a random hash. I wouldn't worry about using cookies. There's no real advantage and, IMO, URL based tracking draws more attention to the session (plus you run the risk that someone shares the URL socially and now you have two users with the same session).

Because users don't have any innate way to write what goes into the session itself (unless you have an insecure app), I wouldn't worry too much about that either. Session files are not executable.
"Its not a mac. I run linux... I'm actually cool." - scott
nobody
Forum Regular
Forum Regular
Posts: 349
Joined: Sun Mar 29, 2009 6:52 pm

Re: securing sessions ?

Unread post by nobody »

Highland wrote:I assume you're talking about session poisoning. It's possible because PHP lets the end user set their own session by declaring PHPSESSIONID=MYSESSIONID and, thus, your session_id() would return "MYSESSIONID", instead of a random hash. I wouldn't worry about using cookies. There's no real advantage and, IMO, URL based tracking draws more attention to the session (plus you run the risk that someone shares the URL socially and now you have two users with the same session).

Because users don't have any innate way to write what goes into the session itself (unless you have an insecure app), I wouldn't worry too much about that either. Session files are not executable.
Hello. Thank you very much for answering !

I don't show the session id in the address bar. I guess this isn't a problem for me right ?

The previous part I havent understood it yet ! :(
I didn't want to use cookies in the first place because many browsers or freaked out users don't work with cookies. Plus I read many topics on google that sessions are supposed to be by nature more secure than cookies since they rely on the server side and a user cannot see them or edit them.
So a user can actually mess up "edit" a session file somehow ?
Hello IT.
Phone : Blah Blah ....
Have you tried turning it on and off again ?
Phone : Blah Blah ....
....
I'm sorry, are you from the Past ?!
http://www.youtube.com/watch?v=-E4fm4Wqego
Highland
Forum Regular
Forum Regular
Posts: 674
Joined: Mon Apr 10, 2006 12:55 pm

Re: securing sessions ?

Unread post by Highland »

Not that I am aware of. Let's say that you're running an insecure app that lets a user write into their session directly. Even if they could do that, there's no way to execute your session file.

Again, cookies avoid using URL sessions and URL sessions are easily shared. I don't know that I've ever seen any users "freak out" at cookies. They're invisible to most users.
"Its not a mac. I run linux... I'm actually cool." - scott
Post Reply