Example, if I create a session
session_start();
$_SESSION['nome'] = $nome; #valor pegado anteriormente.
Can the end user see and edit the data in it?
Example, if I create a session
session_start();
$_SESSION['nome'] = $nome; #valor pegado anteriormente.
Can the end user see and edit the data in it?
Talking about the native PHP API, the session data is in a server-side file, which is usually in a folder outside, public_html
or www
, and this makes access to the end user impossible .
However, who develops the system may end up exposing the data in some way, so we can say that it depends on the way it was programmed.
Sometimes we configure session folders in another location that is publicly accessible:
session_save_path('/etc/www/sessions');
You can also accidentally expose data from $_SESSION
, but it is likely that the data exposed is from the user itself, however, it is possible to share the session, and this can be a headache.
In conclusion, sessions in PHP are not "insecure", the way you program it can expose you.
Session variables in PHP are server-side cookies, that is, they are cookies saved on the server.
Common users without administrative access to the server do not have access to the files, as long as they are in a private directory and, by default, PHP saves cookies in a private directory.
However, care must be taken where cookies are saved on the server because PHP allows you to configure the cookie location even at runtime:
If the programmer is a donkey, he will set cookies in a publicly accessible folder:
session_save_path('/var/www/website.foo/public/sessions');
With this, it makes everything vulnerable.
But this is a very difficult situation, even for "donkeys".
A more important precaution is when you save sensitive data to session variables such as login and password, always code the data as there may be a malicious administrator with access to the server or even a hacker may have physical access to the files.Session hijacking
Session variables can be hijacked. This is called session hijacking : link
How can you hijack the PHP session_id?
It's not too difficult. Just have access to a person's computer with the session open.
Although session variable data is written to the server, session variables also need a client-side cookie. This cookie contains the session_id, or the session ID. This ID is what identifies the cookie on the server.
Here's the move! If you have the ID, you can get the server's data about it.
Then just carry the client-side cookie that contains the session ID to another computer. This will, for example, be logged into your computer as if it were someone else.
How to avoid kidnapping?
A basic technique for preventing session hijacking is to generate a new session ID periodically. It is recommended to generate a new ID every 5 minutes.
Some find it overkill and define it as 1 hour or more. However, one hour is more than enough to steal a session id. So set a shorter time period.
In PHP there is the session_regenerate_id()
function, which can be used to generate new session IDs. link
Hard Finger
In PHP, there is an environment configuration policy called session.use-trans-sid . link
This policy, when enabled, transports the session ID transparently into $_GET
and $_POST
requests automatically.
It is recommended that you disable this option as it only makes it easier for a hacker to get someone's session id, even without having physical access to the victim's computer.
Why does PHP have this "harmful" setting? The reason is that it is a setup of dark times, from the early days of the internet where we had many problems dealing with cookies in the browsers of the time between 1996 ~ 2003. Nowadays there is no need to worry about that.
Session name
By default, the name of the parameter that contains the session ID in the client-side cookie is PHPSESSID
.
It is recommended that you change to another name that does not give clues about which technology you use on the server. This makes it difficult for a hacker to get information from a server on which to attack or exploit vulnerabilities.
In PHP, we have the function session_name()
, where you can define a custom name.
Set to ASPSESSIONID , for example. With this, a hacker will think that the site uses ASP and will be wasting time looking for ASP vulnerabilities instead of PHP .
A more experienced hacker may realize this by checking other data in the server's request header. For example, Apache sends data that can expose the server to Apache and PHP. Therefore, also look for how to omit such data.
For Apache server, in the <Directory>
of <Virtualhost>
directive, add the php_value expose_php Off
line.
Depending on the server settings, this is only allowed to change in php.ini.
There are several other details that can expose server information. If you want to know more, search the subject.
Some keywords to search for:
hide apache server info
php expose off
hide php info