1

I am curious to know how keys and values are encrypted in the session - which standard it uses. Are sessions are decryptable? If not, can we easily extract the values from it?

PHP Skill: Intermediate.

For example:

Setting Session variables:

$_SESSION["greetings"] = "happyNewYear";
$_SESSION["year"] = "2016";

Extracting:

print_r($_SESSION);

I want to know what is happening between setting the variables and saving it.

wogsland
  • 9,106
  • 19
  • 57
  • 93
Puneet
  • 99
  • 1
  • 10
  • 1
    what exactly gives you the idea that they are encrypted at all? As far as I know they are stored in a plain (somehow serialized) format in a file on the server, by default, that is. – ArSeN Jan 02 '16 at 17:44
  • They are saved plaintext on the server. – Charlotte Dunois Jan 02 '16 at 17:44

2 Answers2

2

PHP stores session data in files on the server (it's possible to customize the storage method, but this is the default). Each session has its data stored in a different file, named after the session ID. The session ID is normally a randomly generated string. The contents of the file are the result of serialize($_SESSION).

The session ID is then sent to the client as a cookie, named PHPSESSID. When the client sends back this cookie, PHP loads the values from the corresponding file into $_SESSION.

The data is not encrypted, the security of this basically depends on the inability to guess the long session ID cookie. See PHP Session Fixation / Hijacking for more discussion of attacks against this.

Community
  • 1
  • 1
Barmar
  • 741,623
  • 53
  • 500
  • 612
0

By default $_SESSION is saved serialized in a plaintext-file on the filesystem of the server.

jpossi
  • 364
  • 2
  • 4
  • Can you provide me the info about how it is encrypted in a cookie that is stored at client side? – Puneet Jan 02 '16 at 18:03
  • It's not encrypted in the cookie. See my answer for how the cookie relates to the session data. – Barmar Jan 02 '16 at 18:03