Re: PHP Sessions



HTTP is a stateless protocol, therefore some sort of session identifier needs to be passed with every request in order to maintain a "session" with the server. There are two common approaches to this, the first is to pass the session identifier explicitly (e.g. part of the query string in a GET request or as part of the form submission for a POST request). The other is to pass the session identifier as a cookie (using the cookie headers).
What I fail to understand is why people use session ID's and pass them via the query string at all?
Session variables are passed via the query string when the user has cookies disabled in their browser. Some users disable cookies because of privacy issues. I'm not entirely sure about PHP, but most web technologies seem to write the first page that requires a session with each URL containing session information, and also sends a cookie to the browser. If the cookie comes back from the browser on the next request, cookies are used from that point on. If the cookie doesn't come back from the browser (because the user has disabled cookies), the query string is used.
On a site that I maintain, I store the session ID in a session variable and then check that rather than a session ID passed through the query string. This way the user cannot modify the session ID and therefore only valid sessions are accepted.
If you are setting "session variables" in PHP you are sending cookies to the users browser (or at least PHP is, under the covers). A good way to see this is by downloading the "Web Developer" extension for Firefox and looking through the "cookies" menu.

You can rely to a certain extent on the integrity of cookies if you (for example) use a decent amount of randomisation and a secure hash function to create the session id and maintain all session information on the server (i.e. don't pass any user-identifiable data in session ids).

It's also a good idea to keep track of the association from session id -> ip address, this can guard against session hijacking (where a malicious user uses the session id of a legitimate user to access your application).
Am I missing something here? Is there a way for a malicious user to edit session variables?
Possibly, I'm not sure what mechanism PHP uses to encrypt session information.

Cheers

Peter

---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------



Relevant Pages

  • Re: What is URL rewriting?
    ... URL rewriting is the option when the client browser doesn't accept ... browser doesn't accept cookies. ... user information is usually stored as session object. ... so that the user agent can send that ID back on its next request. ...
    (comp.lang.java.programmer)
  • Re: Lets talk about HTTPS Everywhere
    ... even just a session ID - which can be just a random number with no ... I think the problem is that online services rely just on cookies ... but there are also cross-site scripting attacks that are not ... Encrypting the contents of the HD can ...
    (Debian-User)
  • Re: Hiding variables passed via URL
    ... well you can view cookies as well. ... What else constitutes a 'session variable' apart from POST or GET data ... But then you don't understand that session variables aren't POST or GET ... You could coordinate PHP with Javascript. ...
    (comp.lang.php)
  • Re: $referrer = $_SERVER[HTTP_REFERER] echo
    ... There are much more reliable solutions, like session ... I assume that this concerns all kinds of HTTP cookies. ... | conditions if they are not used for additional purposes. ... | 'personal data' shall mean any information relating to an identified ...
    (comp.lang.php)
  • Re: Hiding variables passed via URL
    ... well you can view cookies as well. ... What else constitutes a 'session variable' apart from POST or GET data ... But then you don't understand that session variables aren't POST or GET ... You could coordinate PHP with Javascript. ...
    (comp.lang.php)