Security involving a PHP shared session ID via user input

Question

I am writing an API in PHP that utilizes sessions to store authenticated user data. However, because the API is going to be used across multiple software instances (web browser, application client, node.js fetch library, etc), I've ran into an obvious problem.

Since I want the sessions to be the same for each user on each group of software, I decided to let the user set the session_id() in the GET query. This way, any associated software can access the exact same session without relying on HTTP cookies.

<?php
if (!isset($_GET["sesID"])) {
  die;
}
session_id($_GET["sesID"]);
session_start();
...
?>

However, I've come to the conclusion that this method appears extremely insecure and ineffective when I started researching into session security. Is there a better way to go about this problem? Thanks.

score -1 · Answer 1 · answered Feb 01 '20 at 16:25

-1

All the methods I'm thinking about need some form of identification (like session_id) to work, so there would be no security improvements. Here you can found some tips to improve the session method. I hope this can help you

answered Feb 01 '20 at 16:25

lax9999

103
6

Security involving a PHP shared session ID via user input

1 Answers1