Is it possible for an malicious user to set the $_SESSION (in php) variable to any value he wants?
Asked
Active
Viewed 710 times
9 Answers
8
Highly depends on your code. Something very obvious: $_SESSION['username'] = $_REQUEST['username'].
KingCrunch
- 128,817
- 21
- 151
- 173
3
It depends on how you set the sessions variable. An user can exploit the way you set them.
The most common attacks with sessions is session fixation : http://en.wikipedia.org/wiki/Session_fixation
Brice Favre
- 1,511
- 1
- 15
- 34
3
Yes, by using another user's session data, as shown here: http://phpsec.org/projects/guide/4.html
Nightfirecat
- 11,432
- 6
- 35
- 51
2
If you provide a means for him to do so (bad/insecure code), it is possible. However, this is generally unlikely.
John Green
- 13,241
- 3
- 29
- 51
2
Not typically, but they could if, for instance, you had a remote code execution vulnerability in your PHP.
Quentin
- 914,110
- 126
- 1,211
- 1,335
2
Unless you have done something wrong in your code he cant set it on your server, what he can do is steal some other users session cookie and get in that way... in other words; he can change his own session cookie that your $_SESSION use to identify him
Johan Olsson
- 608
- 3
- 10
2
No, not if your code is correct and doesn't allow to set values based on unverified userinput.
lawl0r
- 840
- 6
- 16
1
Yes. If you use something from a cookie or another similar request method that a user can edit to interact with the session then there is a change. For example say you make an online store and store the item id's in the cookie and on page refresh pushes it into the session. While on the page a user can edit the cookies so when it goes into the session it have been modified.
BRampersad
- 862
- 1
- 12
- 25
