How Safe Are PHP Session Variables

How safe are PHP session variables?

Sessions are significantly safer than, say, cookies. But it is still possible to steal a session and thus the hacker will have total access to whatever is in that session. Some ways to avoid this are IP Checking (which works pretty well, but is very low fi and thus not reliable on its own), and using a nonce. Typically with a nonce, you have a per-page "token" so that each page checks that the last page's nonce matches what it has stored.

In either security check, there is a loss of usability. If you do IP checking and the user is behind a intranet firewall (or any other situation that causes this) which doesn't hold a steady IP for that user, they will have to re-authenticate every time they lose their IP. With a nonce, you get the always fun "Clicking back will cause this page to break" situation.

But with a cookie, a hacker can steal the session simply by using fairly simple XSS techniques. If you store the user's session ID as a cookie, they are vulnerable to this as well. So even though the session is only penetrable to someone who can do a server-level hack (which requires much more sophisticated methods and usually some amount of privilege, if your server is secure), you are still going to need some extra level of verification upon each script request. You should not use cookies and AJAX together, as this makes it a tad easier to totally go to town if that cookie is stolen, as your ajax requests may not get the security checks on each request. For example, if the page uses a nonce, but the page is never reloaded, the script may only be checking for that match. And if the cookie is holding the authentication method, I can now go to town doing my evilness using the stolen cookie and the AJAX hole.

How secure are PHP sessions?

No, a session is stored on the server and cannot be accessed by the user. It is used to store information across the site such as login sessions.

Here is an example of the usage:

<?php
session_start();
if (password_verify($_POST['password'], $hash)) {
    $_SESSION['auth'] = true;
}
?>

The session can then be accessed across the site to check to see if the user has been authenticated.

<?php
session_start();
if ($_SESSION['auth']) {
    echo "You are logged in!";
}
?>

The user cannot edit these values however the session's ID is stored on a computer through a cookie as a long random string. If an unauthorized user gains access to these strings it is possible for them to access the site.

Is Php session data secure?

The session data itself is stored server side. The only thing that is stored on the client's computer is a cookie with a unique identifier so the server knows which session to load at the server side.

Users cannot manipulate the data stored in the session itself, so in that sense, sessions are secure.

Then of course, the cookie itself could be stolen from a user and used by another user (a practice called 'session hijacking'). You can protect your users from this by for example locking a session to their IP-address, browser version, etc and using HTTPS to shield them from people sniffing connections.

Is this a safe use of Session Variables?

That's pretty good, here are a few other tips for session management:

1. Do not accept session identifiers from GET/POST variables:
   Session identifiers in URL (query string, GET variables) or POST variables are not recommended as it simplifies this attack. It is easy to make links on forms which set GET/POST variables.

2. Regenerate the SID on each request:
   In PHP use session_regenerate_id(). Every time a user's access level changes, it is necessary to regenerate the session identifier. This means that although an attacker may trick a user into accepting a known SID, the SID will be invalid when the attacker attempts to re-use the SID.

Are Laravel session variables secure?

Is there any (known) way for end users to edit a Laravel 4 session variable?

Yes there is, but only if you go out of your way to make it possible. The steps required are:

1. Use the cookie driver for sessions (which stores all session data into a cookie rather than simply storing an identifier in the cookie and keeping the actual data server-side). I generally recommend against storing session state in a cookie.
2. Turn off session encryption, which the documentation strongly says not to do.

If you do these ill-advised steps, in addition to allowing users to overwrite session data, this is a risk for PHP object injection via unserialize().

Advice: If you are going to store session state in a cookie, make sure it's wrapped in authenticated encryption. Laravel's encryption library employs authenticated encryption (Encrypt then MAC), and the sessions use this by default.

---

As for the other drivers, that depends on your network topology. If your database is on another server and your attacker can impersonate the web server, they can put whatever they want in the database.

Last I checked, Laravel defaults to encrypt session data (unless you disable encryption). Unless your database is on the same host as the webserver, leave it turned on.

How safe is it to use login data within a PHP session?

Storing the users name might make your application vulnerable to brute force attacks if the session is sniffed and the user name retrieved.

So you want to create a loggedIN token that is then stored in the session and the DB and compared when content that requires login is called.

Tokens should be indexed unique and regularly destroyed users not logged in have NULL. This keeps temp tables leaner when tokens are compared upon loading content.

---

Related Topics