Are $ SESSION variables safe?

Forum Moderators: coopster

Message Too Old, No Replies

Are $ SESSION variables safe?

Validation needed for $_SESSION?

Benco

7:10 pm on Jun 18, 2007 (gmt 0)

Hi, I'm new.
I know that I have to be careful with $_POST and $_GET and therefore validate user input. But what about my $_SESSION variables? Could they also contain malicious injections or is it sure that they only contain what I wrote into them?
I don't know much about cookies and whether they can be manipulated.

barns101

9:23 pm on Jun 18, 2007 (gmt 0)

Session variables will only contain whatever you stored in them. If you store user input then you need to check it before storing it as a session variable. Session data is stored server side, so the user can't tamper with it. Only a session ID is stored in a cookie on the visitor's computer.

Cookies can be manipulated by users and so you need to validate the data before use.

hughie

9:48 pm on Jun 18, 2007 (gmt 0)

as barns says, in theory the session data can't be manipulated by the user but if you're storing POST or GET variables as Session data then those can, so you need to validate everything.

The dangers arise when session ids aren't dealt with properly so malicious users can obtain the Session ID of another user and log in under that session.

google "securing sessions php" for more info

Benco

10:12 pm on Jun 18, 2007 (gmt 0)

So I was wrong to assume that the session data would be stored in a cookie - thanks to both of you for your help.

coopster

4:25 am on Jun 19, 2007 (gmt 0)

Session data is not, but the session id is. The PHP Session Handling Functions [php.net] are a must read when working with PHP session management. Don't forget to follow the links and read up on session fixation there too.

And welcome to WebmasterWorld, Benco.