1

Does anyone know the principle of working of PHPSESSID? How does it work and where it is saved? Is it saved on client side or on serverside, will another PC be able to connect to my account from his PC if he knows my PHPSESSID?

harry
  • 1,410
  • 3
  • 12
  • 31
John
  • 7,500
  • 16
  • 62
  • 95

2 Answers2

3

yes, that's why it's better to not pass the session id through url but to use cookies instead:

php.ini: session.use_cookies = 1

In that case there's a folder in the server (php.ini: session.save_path) that will store the files, and also a cookie in your harddrive to map your credentials to the registered session_id.

php.ini: session.cookie_lifetime

sets up the time this cookie will live for (0 for infinite), while

php.ini: session.gc_maxlifetime

defines how long it is going to live on the server.

Use

php.ini: session.cookie_httponly = 1 along with session.cookie_secure = 1 (if you are using ssl)

to improve the protection of the informations of your cookies so they are unavailable through javascript, being a good last chance parachute in case of xss attack sending your cookies to a malicious destination.

As pointed out by Explosion pills, there's always a way to be hi-jacked anyway. All you can do is making it harder.

Sebas
  • 21,192
  • 9
  • 55
  • 109
2

The session data is saved on the file system on the server side with the session ID as the identifier. The actual location varies, and you can change it via the session.save_path ini setting. You can also change the PHPSESSID name, but this is provided to the client as a cookie and references the session file. On my system

/var/lib/php5/sess_53jsd3icrkbqbbfrl6qlv6e6a7

While browsing I have the PHPSESSID cookie 53jsd3icrkbqbbfrl6qlv6e6a7.

Since this is used to identify the session, it's a security risk if it's exposed so yes a user can steal your session if they know the session ID. This is called session hijacking. Note that even session.use_cookies = 1 is not enough because there's nothing preventing someone from setting that cookie if they know it. Using https to encrypt the cookie is the only valid solution I know of.

Explosion Pills
  • 188,624
  • 52
  • 326
  • 405
  • There's also http://us.php.net/manual/en/session.customhandler.php , which can be used instead of file-based sessions. – DCoder Apr 06 '13 at 15:20