Hey!
I would like to know if is it possible to "hack" $_SESSION variables from the user side. I have register_globals=off, and I think I have a cool security in my PHP scripts. My question is related only with the user's computer, not through my server.
Also, where are the SESSION variables logged? Are them in my server, or in the user's computer, as the same way of cookies?
Thanks in advance :)
8  1530  Dormilich 8,658
Recognized Expert Moderator Expert
session variables are stored at the server. if something is saved on the client side, it is the session id (in a cookie)
sessions are stored at the server but cookies are stored in browser
Atli 5,058
Recognized Expert Expert
It's technically not possible to "hack" the session data itself from the client side (in an easy way, at least), but it is possible to "hijack" the session ID, which would give them access to whatever the session is protecting. Meaning; if you use sessions for member logins, they could assume the identity of a logged in member.
There is very little you can do about this, except maybe make it more difficault by verifying IP addresses or adding non-session cookies to verify.
At some point you just need to trust the client to not lose the session cookie.
Hey, thanks for the answers :)
I understand the ID part, I will try to get a way to have a protection for each session ID, like checking the email or username... this should fix the problem...
Thanks a lot for your help!
Dormilich 8,658
Recognized Expert Moderator Expert @nunoperalta
you can't protect the session id that easily (as Atli explained) because the session id is submitted along with every http request (and you certainly don't want the user to log in every time… then you'd go against the intention of sessions)
ok yeah... I was right now thinking on it better, and yeah, my idea was a bit "stupid", lol...
anyway, I will try with IPs then, and research about this issue.
Thanks again! :)
Dormilich 8,658
Recognized Expert Moderator Expert
have a look at the $_SERVER array, it may contain useful information.
Yup, I know about it, and I use this array already, for other types of security or tracking :) It's very useful!
Sign in to post your reply or Sign up for a free account.
Similar topics | |
by: Al Jones |
last post by:
This is a repost form the vbscript newgroup - if this isn't the appropriate
group would you point me toward one that is.
Basically, I seem to be losing session data part way though preparing an...
|
by: Lina Manjarres |
last post by:
Hello,
I have a session variable in a login page. Then I go to a form page where I
uses the ProfileID and the UserID. Then I go to a result page where I would
like to use the UserID as a filter,...
|
by: PJ |
last post by:
A particular page seems to be having issues with correctly setting Session
variables. I am setting a couple of session variables on the Page_Unload
event. While stepping through code, the...
|
by: Harry Simpson |
last post by:
I've come from the old ASP camp where session variables were not used. When
i started using ASP.NET in 2001, I started using them again because it was
ok from what I'd read.
I've been merrily...
|
by: tshad |
last post by:
I have been using the default session state (InProc) and have found that I
have been loosing my information after a period of time (normally 20
minutes).
Is there anyway to find out how much...
| | |
by: Alan Wang |
last post by:
Hi there,
Once my application gets complicated and complicated. I found it's really
hard to keep track of Session value I am using in my asp.net application. I
am just wondering if anyone have...
|
by: Phillip N Rounds |
last post by:
I'm writing a user control which has two states: Active & InActive. I
additionally am required that there to be only one active control per page,
and all logic has to be contained within the...
|
by: BillE |
last post by:
When a user opens a new IE browser window using File-New-Window the
integrity of an application which relies on session state is COMPLETELY
undermined. Anyone who overlooks the fact that...
|
by: BillE |
last post by:
Some ASP.NET applications use Session Variables extensively to maintain
state.
These should be re-written to use viewstate, hidden fields, querystring,
etc. instead.
This is because if a user...
|
by: MrHelpMe |
last post by:
Hello again all,
I've finished my whole application and now I don't like the whole
session variables that I am using. I have a form, user fills in info
clicks submit and using CDOSYSMail an...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
| | |
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers,...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing,...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The...
| | |
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated ...
|
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
| |
