1

I just want to know how PHP encrypts the session cookies.

The reason is for example, if 24 always get encrypted to _randomString, then an attacker can make a request using that _randomString as the session ID, thus impersonating the user with id=24.

Even if 24 doesn't always get encrypted to the same _randomString, what I am worried about is the fact that PHP always encrypt in a certain way and we can't change the secret key for example, Which makes it easy for an attacker.

Also I am not sure if PHP use A secret key encryption.

Thank you

ELA
  • 11
  • 5
  • sessiond id cookie(PHPSESSID) values looks like garbage not because they are encrypted - they are **not encrypted** at all but contain **real random garbage** so [you should not care about hacker guessing it and impersonating site visitor](https://stackoverflow.com/questions/138670/how-unique-is-the-php-session-id). – Maxim Sagaydachny Apr 02 '20 at 04:54
  • @MaximSagaydachny So how the server knows what the original value of PHPSESSID was ? (How It translates the random garbage back to 24 for example) ? – ELA Apr 03 '20 at 16:25
  • it does not translate into anything - it is the thing itself which is used as a key for the session - it is either filename or database field value or memcache key – Maxim Sagaydachny Apr 03 '20 at 16:36
  • @MaximSagaydachny It is a database field. I don't understand how it does not translate to anything. In index.php the code is : $_SESSION["id"] = 24. When the server sends that index.php as a response, the browser will store the cookie PHPSESSID = "random_garbage". When the browser sends a request back, this cookie who's value is "random_garbage" is sent to the server. If we do: echo $_SESSION["id"], it will print out "24" --> So how the server knows that "random_garbage" should be "24" without translation ? – ELA Apr 03 '20 at 18:22
  • suppose we have default installation - by default php stores session in files in folder /var/lib/php/sessions/ . Suppose browser sends PHPSESSID=ZXC . Then server will deserialize file /var/lib/php/sessions/sess_ZXC with corresponding array element id=24. PHPSESSID contains cell "ID" in a big warehouse. the cell itself is not closed and not encrypted. typically there is no sense to encrypt such storage content - hackers can't access warehouse. visitor names the key for the cell and server uses this cell - that is all. The same principle works when you use alternative storage like db / memcache – Maxim Sagaydachny Apr 03 '20 at 19:20
  • @MaximSagaydachny Ok, so it is "stored" in local file system, and not "translated". Thank you – ELA Apr 04 '20 at 15:01

0 Answers0