How secure are php Sessions? I am planning to use the native PHP sessions to authenticate users. Can users modify session data like they can $_POST and $_GET data?
Share
Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
How secure are php Sessions? I am planning to use the native PHP sessions to authenticate users. Can users modify session data like they can $_POST and $_GET data?
Data only goes into a session when you as the developer have the user put it into the session via the code you write. Therefore, sessions are as secure as the data you allow into them, and how you trust and use that data. Further, sessions are based on a sessionID that the client uses to identify the session user. If someone hijacks a sessionID, then they can emulate being the user whose session ID they stole. This can happen in non SSH communication. So don’t trust a session ID for identifying a user (for important stuff) unless they have logged in and the sessionID has only been transmitted in secure mode.
The next question of security would be the ‘guessability’ of a sessionID you sent off to the user. If you handle the stuff I mention above, by the time you get through it and the documentation you will understand how ‘guessable’ PHP sessionIDs are.
Finally watch out for XSS attacks. There are several posts across the internet that explain how to minimize the incidence of XSS.