PHP Can a client ever set $_SESSION variables?

Question

Is there any scenario where a client/user/hacker can set $_SESSION variables themselves (excluding malicious software running on a server computer. I mostly mean via the browser)?

The reason I ask is because of this question that I asked a few days ago. Since then I have become pretty confused on the subject, but I've got a better idea of session fixation and hijacking.

To put it as simply as possible, if I validate every page with something like isset($_SESSION['validated']), is it secure?

Jacob Relkin · Accepted Answer · 2010-11-15T06:19:22.820

22

Yes if you were assigning $_SESSION variables directly to unfiltered user input.

Which brings me to my point: NEVER TRUST INPUT FROM THE USER. EVER

If indeed you are filtering the input, then I don't see how it could be done.

edited Nov 15 '10 at 06:19

answered Nov 15 '10 at 06:13

Jacob Relkin

161,348
33
346
320

10

Indeed, (assuming sensibility on behalf of the web programmer) it couldn't. The data for `$_SESSION` is kept on the server itself, and it's looked up by a key stored as a cookie. There's no way to actually permute data in `$_SESSION` itself, but a user could possibly guess the session ID of another session and send the appropriate session cookie. But for all intents and purposes, to you (the web programmer), they'd be exactly the same as the other user, so it's not your responsibility to protect against them anyway. Firesheep (http://codebutler.github.com/firesheep/) does that. – Asherah Nov 15 '10 at 06:34
@Arlen - if you have a look at my edit, that's exactly the answer I was looking for in the other question I asked. Some rep is up for grabs there. – Ben Nov 15 '10 at 06:37

score 1 · Answer 2 · answered Nov 15 '10 at 06:26

1

Yes, it's possible. Read about Session poisoning and another quite common security issue Session fixation on Wikipedia or Google it - the web is full of articles about that.

answered Nov 15 '10 at 06:26

Crozin

43,890
13
88
135

Uhhh...that article has phrases like "which is possible if attacker and victim share a web hotel" and "hare the same session states but where usage differ, causing ambiguity and race conditions". But I get your point and will look around. – Ben Nov 15 '10 at 06:32
5

Not sure session poisoning is relevant here. Those are language agnostic coding problems that have to do with assigning session variables using unsanitized user input. The fact of the matter is, there is no way for clients to directly access $_SESSION. Your application has to do it for them. Whether you allow that or not is a separate issue here. You can trust $_SESSION to be safe from direct user manipulation, just as you can trust that files outside of your web root cannot be directly accessed by users, unless you implement a way to allow it. – Lèse majesté Nov 15 '10 at 06:48

score -1 · Answer 3 · answered Aug 18 '14 at 00:16

-1

I don't think $_SESSION variables can be changed unless the user has server access otherwise no they can't change it but filtering the variables or sanitizing it is recommended if it is something the user enters.

answered Aug 18 '14 at 00:16

Richard

1,057
1
10
22

2

You probably shouldn't guess when answering questions, especially because OP's question could pertain to private user data – vqdave Jul 22 '15 at 02:01
Please add a source, this is not a reliable answer. – jasie Oct 24 '19 at 08:37

Ewer Ling · Answer 4 · 2015-07-22T13:02:26.030

I do not quite understand the question, but this question explains my way of what I think that you want to do.

Make sure that you include jQuery.

Code:

<html>
<head>
  <title>Tab name</title>
  <meta charset = "UTF-8" />
  <script type = "text/javascript" src = "http://code.jquery.com/jquery-1.1.13.min.js"></script>
  <script type = "text/javascript" src = "script.js"></script>
</head>
<body>
</body>

</html>

Then make a file called addsession.php.

Code for addsession.php:

<?php session_start(); ?>
<?php
  if(isset($_POST["name"])){
    $name = $_POST["name"];
  } else {
    print '<p style = "color: red; font-weight: bold;">Name not defined!</p>' . "\n";
    $name = "unknownsessionvariable";
  }
  if(isset($_POST["value"])){
    $value = $_POST["value"];
  } else {
    $value = "";
  }
  $_SESSION[name] = value;
?>

Code for script.js:

function session(name, value){
  $.post(addsession.php, {"name" : name, "value" : value});
  window.location.reload(); // This line maybe should be here depending on what you are doing.
}
$(document).ready(function(){
  session("sessvar", "supervalue");
});

Example code snippet:

function session(name, value){
  $.post("http://www.eastonwerling.com/addsession.php", {"name" : name, "value" : value});
  //window.location.reload();
$(document).ready(function(){
  session("sessvar", "supervalue");
});

<script src="http://code.jquery.com/jquery-1.11.3.min.js"></script>
<p>This example depends on www.eastonwerling.com (my website).</p>

PHP Can a client ever set $_SESSION variables?

4 Answers4

Linked

Related