PHP Session Data: How Secure?

[ppc_michael]

Are there any methods/plugins that allow users to view or change PHP session variables client-side?

Basically I'm wondering how worried I should be about users hacking session data to try to access other peoples' accounts in a login/account system I'm writing.

 

[angelwatt]

I would not rely solely on session variables. They are not secure and can be faked as I have found with my contact form. I wasn't trying to do anything secure there, but did notice spambots were able to fake sessions. Though it would take more effort for them to intercept someone else's session and get that data. That's why sessions data is usually set to expire in a minutes/hours. So yeah, don't store any personal information in session variables if possible.

Some ways to help make sessions more secure

• http://www.phpclasses.org/browse/package/2794.html
• http://www.devshed.com/c/a/PHP/Creating-a-Secure-PHP-Login-Script/
• http://www.ilovejackdaniels.com/php/better-sessions/
• http://www.sitepoint.com/article/php-security-blunders
• http://phpsec.org/projects/guide/4.html
• http://xqus.com/archives/2004/10/19/secure-php-sessions/

 

[ppc_michael]

Oh cool! Thanks, I really appreciate those links.

 

[SrWebDeveloper]

I want to strongly, strongly suggest you take a very close look at the first link Angelwatt listed. That comes from a site I use regularly to find open source object oriented solutions (classes) for PHP. The class is excellent, the author won an innovator award for it and he is one of the better developers sharing code out there. Implement his class and you've eliminated most of the hard work. So I am seconding that advice, big time.

Your primary concern is session hijacking, and good session handling involves passing encrypted values between pages with a fingerprint or key generated and stored server side (through one of countless means) for each session user and their session data. The 5th link (phpsec.org's article) is superb reading on that specific subject.

-jim