40

this is crossing my mind and I'm wondering if it is possible, how secure can it be to store info in the $_SESSION variable of PHP?

Chris Bier
  • 14,183
  • 17
  • 67
  • 103
Castro Roy
  • 7,623
  • 13
  • 63
  • 97

4 Answers4

57

Storing variables in the $_SESSION variable has two potentials for "insecurity".

  • The first as described by the other answer is called "session fixation". The idea here is that since the session ID is stored in a cookie, the ID can be changed to that of another user's. This is not a problem if a user gets a new ID every single session therefore making it very difficult to find an ID of a currently working session and hijack it.
  • The second depends entirely on your code. If your code leaks the values of the secret information you store in $_SESSION then it is insecure. If your code allows the user to control the values of that information it is insecure. Otherwise if something is in the $_SESSION variable and your code never allows the user to see it or write to it then it is secure.
YoriKv
  • 851
  • 8
  • 5
  • 2
    +1 Because this [is the only response as of yet that] addresses vulnerabilities allowed by insecure coding. –  Feb 25 '11 at 20:06
  • 8
    leaking would be something like `Hello, $_SESSION['username'], your password is $_SESSION['password']`. Session data is kept on the server, and unless you code explicitly outputs any part of it, can not ever be viewed by the remote user. – Marc B Feb 25 '11 at 20:29
  • 1
    @MarcB I'm curious, would you recommend avoiding entirely using $_SESSION['info'] to display stuff in HTML or just avoid displaying crucial information, such as the password in your example? – Jish Nov 20 '12 at 21:16
  • 1
    @jish: depends on what you store in the session, and what you do with it once it's in the session. – Marc B Nov 21 '12 at 15:02
  • Wouldn't session vulnerability in the second case (let the user control a session variable value) mean something like getting it from user input, or an HTML element via js? – Vörös Imi Mar 17 '20 at 06:32
14

PHP Session's work by storing a PHPSESSID cookie on the end user's computer that acts as an access key for server-based session information. That cookie value is a hashed string (the security of which depends on your PHP settings) that is used to link the particular browser to the specific session values you set.

That string looks something like b420803490a9f0fe8d6a80657fec3160. So, the end user could alter that string, but then their session will become invalid, since it almost certainly won't match one that's being stored by PHP, and they won't have access to data.

There is a risk, as others have mentioned, that someone's PHPSESSID become exposed, and people use that to hijack someone else's session.

Yahel
  • 37,023
  • 22
  • 103
  • 153
5

The $_SESSION is stored entirely on the server, so the user cannot modify it. However, it is possible for session-hijacking exploits where the user gets connected to another user's session.

mellamokb
  • 56,094
  • 12
  • 110
  • 136
2

Where as less secure $_COOKIES are on the client computer, the $_SESSION is stored on the server. It's location is determined by the session.save_path of php.ini. However there are still security issues such as session fixation

brian_d
  • 11,190
  • 5
  • 47
  • 72