Is it possible for a malicious user to edit $_SESSION?_问答_开发者

Is it possible for a malicious user to edit $_SESSION?

开发者 https://www.devze.com 2022-12-15 05:17 出处：网络

I save some important info in $_SESSION, not in $_COOKIE. 开发者_JS百科So, my question, is it dangerous? Or is it protected from malicious users trying to edit it and I\'m fine?

相关专题：php session

I save some important info in $_SESSION, not in $_COOKIE. 开发者_JS百科So, my question, is it dangerous? Or is it protected from malicious users trying to edit it and I'm fine? Thank you.

By the way, is it possible also to edit $_COOKIE? I heard yes, but if yes, then how?

$_SESSION is stored server-side. The best a hacker could do would be substitute another user's session for the existing session, but the hacker could not insert arbitrary data into $_SESSION. $_COOKIE is, however, stored client-side, so a hacker can insert arbitrary data into the cookie, by just editing the cookie.

By default, the $_SESSION is already backed by a cookie with the name phpsessionid (so that the server is able to identify the client and associate it with one of the sessions in server's memory). If a hacker knows the cookie value of someone else and copies it in its own cookie with the same name on the same domain/path, then the hacker has access to the same $_SESSION. The cookie value is however long and random enough to minimize the risks the session being hijacked within half a hour (the default session timeout).

If you're worried about people altering sessions (session hijacking) look into session_regenerate_id()

$_SESSION is stored on your webserver, so it's not possible to directly alter it via the web. Of course, your PHP application can update $_SESSION, so it still might be possible for an attacker to trick your application into doing something to $_SESSION that it shouldn't - it all depends on the specifics of your application.

$_COOKIE is stored on the user's browser, which means that the user has the power to change their own cookies.

One of the main uses for cookies is authentication. A user logs in and information is stored in $_SESSION. A cookie (stored in $_COOKIE) records the session id of the user so that your application knows which session belongs to the logged-in user.

Yes Hacker can hijack the session you can use session_regenerate_id() , or stole it look if you are admin and you logged in ,( session is in the server ) hacker have it via xss = > will make cookie in his pc with this session and log , change the pass or add admin , besore the end of the session

cookie can stole too , look this code setcookie("admin","admin_log",time()+3600); if hacker know the code like opensource he can log as make cookie by firefox addons as the cookie name and value

Cookies are sent via the user-agent every time a page is requested. The user-agent doesn't need to be a browser. It could be a small shell script. Even if it is a browser, there's an "edit cookie" extension for Firefox.

$_COOKIE contains information that the client sent to your web server. Most commonly this is the contents of browser cookies but t could contain ANYTHING, so don't trust it.