7

Possible Duplicate:
PHP Can a client ever set $_SESSION variables?

What I'd like to know, is whether a PHP $_SESSION variable can be changed on the client-side. If, for example, I do $_SESSION['username'] = $username; Can someone somehow change the value of my $_SESSION['username'] variable?

Community
  • 1
  • 1
George Korac
  • 133
  • 2
  • 4
  • 9

3 Answers3

9

The contents of the SESSION superglobal cannot be changed. This lives on the server and the client has no way to access this.

However, a session id is passed to the client so that when the client contacts the server the server knows which session to use. This value could be changed (See Calums answer for preventing this See http://php.net/manual/en/session.security.php for information). Which would allow a user to use someone elses session (but not change the value of the session).

Jim
  • 22,354
  • 6
  • 52
  • 80
5

PHP is a server-side programming language and the $_SESSION superglobal is only directly accessible on the server. With 'normal' php sessions, the data contained in the SESSON superglobal is passed back and forth between the browser and the server in a cookie. So technically, it is possible to modify the session with Javascript in a web browser by modifying the cookie.

But please note, any attempt to do anything like this is probably a terrible idea and there's most likely a far more simple way to accomplish whatever you're trying to do.

Edit: This question I asked may be of use to you Codeigniter/PHP sessions security question

Community
  • 1
  • 1
Casey Flynn
  • 13,654
  • 23
  • 103
  • 194
  • 5
    Modifying the cookie wont let you change the values of the session superglobal but would let you use another session (provided you guessed a correct session id). – Jim Aug 02 '11 at 12:47
  • 2
    My concern is whether a **user** would be able to change this variable, and how I can secure it. – George Korac Aug 02 '11 at 12:49
  • It is doable, not simple. I'm trying to answer the question of: is it possible. Is it a good idea? No. – Casey Flynn Aug 02 '11 at 12:51
  • @George Korac: Yes. It is possible for a user to change a variable so if you're using normal PHP sessions - no you can't trust a user's input. A way around this is to use a database for session storage. The database stores a user's session variables and only an identifier is passed back and forth between the web browser and the server. This is very easy to implement with the codeigniter PHP framework. – Casey Flynn Aug 02 '11 at 12:53
  • Since it's possible, which parts of my php scripts should I protect, and how? Or does it have nothing to do with my php? I'm already filtering all user input, but I'm wondering whether they can use a script or such to change that value.. – George Korac Aug 02 '11 at 12:56
  • @George Korac, a good first step is to make sure your cookies are encrypted. The easiest way to protect your script: use codeigniter (or another PHP framework, CI is my preference) it will filter any input in your POST variables, securely store your session data in a database, check the useragent of your client's web browser and optionally their IP address to prevent 'session hijacking' – Casey Flynn Aug 02 '11 at 12:59
  • Otherwise you're going to have to do all of that yourself, and that's no fun. – Casey Flynn Aug 02 '11 at 12:59
  • Your question was of great help! I'll use "sess_use_database" "sess_match_ip" to make my site moar secure. Thanks! – George Korac Aug 02 '11 at 13:00
1

Not exactly, but you can simulate it with AJAX. Just write a php file that changes the value, and then call it from AJAX, just to execute it and change that value.

Hope this helps you.

elvenbyte
  • 776
  • 1
  • 17
  • 34