0

I have in my Website an admin panel from which I can login to manage my website, and for the login authentication, I'm using a code that checks whether the username and the password exists in the dB, and if yes, I set a variable to true like this: $_SESSION['admin_logged']= true ;

I want to know whether this way is safe or not. Because Ive heard somewhere that session variables can be stolen or sniffed or something like that. but, I really have no idea what does that mean. And how can someone steal the variables while they are saved in the server side? And if possible, how can I prevent this from happening. Thank you very much in advance.

Jonathan Leffler
  • 730,956
  • 141
  • 904
  • 1,278
Kadir Damene
  • 358
  • 1
  • 3
  • 10
  • 2
    Think this is more relevant on security.stackexchange. They have a question on it already, http://security.stackexchange.com/questions/81519/session-hijacking-through-sessionid-brute-forcing-possible – chris85 Sep 20 '15 at 22:48
  • i tend to think unless your running a bank, sessions out of the box are fine –  Sep 20 '15 at 23:00
  • I literally answered a very similar question a month ago: [Are Laravel 4 session variables secure?](http://stackoverflow.com/a/31978508/2224584) – Scott Arciszewski Sep 21 '15 at 04:17

1 Answers1

0

PHP Session variables are stored on the server. The clients or hijackers would not have direct access to the information stored so hijacking is not that easy without physical access to the client's computer. This method should be secure enough but for more security you could also authenticate the session and the IP address Find out more here

Chuksy
  • 66
  • 5
  • This is not necessarily true. You can store them in a database or on a filesystem connected over an insecure connection; at which point, anyone that can sniff network traffic can mess your system up. – Scott Arciszewski Sep 21 '15 at 04:18