Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 11 of 11
  1. #1
    Senior Coder doubledee's Avatar
    Join Date
    Mar 2011
    Location
    Arizona
    Posts
    1,092
    Thanks
    26
    Thanked 0 Times in 0 Posts

    Question about PHP Session Cookies

    When you create a session in PHP, it stores a cookie on your computer which has an "id" that points back to your session on the server, right?

    If this is correct, then what stops someone from modifying the Session Cookie to another ID, and thus hi-jacking someone else's session?

    Sincerely,


    Debbie

  • #2
    New Coder
    Join Date
    Nov 2011
    Location
    Ratio, Logic
    Posts
    61
    Thanks
    3
    Thanked 6 Times in 6 Posts
    Session is not cookie.
    Cookie is set in client's browser as a file for particular amount of time,
    and session is stored in client's (machine) memmory untill browser is not closed or destructed with other method (session_unset(), session_destroy()) provided from application.
    No one stops no one to change session in browser (can be seen in I.E. Chrome Inspect Element), but change it to what? It is hash depending of application encription and if is made well, noone won't spend few billions year to try to get doubtful data.
    After all, google, paypal or ebay and amazon uses user (and other) sessions.
    Than you (I or anybody else) can ask "Why shouldn't I use it too?" Right?

  • #3
    Senior Coder djm0219's Avatar
    Join Date
    Aug 2003
    Location
    Wake Forest, North Carolina
    Posts
    1,301
    Thanks
    4
    Thanked 204 Times in 201 Posts
    Quote Originally Posted by doubledee View Post
    When you create a session in PHP, it stores a cookie on your computer which has an "id" that points back to your session on the server, right?
    The SID value in the browser cookie is usually the name of the session that is stored on the host.

    Quote Originally Posted by doubledee View Post
    If this is correct, then what stops someone from modifying the Session Cookie to another ID, and thus hi-jacking someone else's session?
    Nothing other than the fact that it would be close to impossible to guess what someone else's SID is. Unless you are dealing with extremely sensitive information it is not a concern (that applies to a majority of things on "the web").
    Dave .... HostMonster for all of your hosting needs

  • #4
    Senior Coder
    Join Date
    Feb 2011
    Location
    Your Monitor
    Posts
    4,327
    Thanks
    60
    Thanked 525 Times in 512 Posts
    Blog Entries
    4
    On public wifi networks it is indeed possible to steal cookies. It's rare but it can happen. You may want to consider using SSL for that very reason as thats the only way to ensure that the connection is secure.
    See my new CodingForums Blog: http://www.codingforums.com/blogs/tangoforce/

    Many useful explanations and tips including: Cannot modify headers - already sent, The IE if (isset($_POST['submit'])) bug explained, unexpected T_CONSTANT_ENCAPSED_STRING, debugging tips and much more!

  • #5
    Senior Coder
    Join Date
    Feb 2011
    Location
    Your Monitor
    Posts
    4,327
    Thanks
    60
    Thanked 525 Times in 512 Posts
    Blog Entries
    4
    Quote Originally Posted by Tpojka View Post
    Session is not cookie.
    Correct. Sessions do however use cookies so that the browser can identify the session identifier that the server needs to be using.

    Quote Originally Posted by Tpojka View Post
    Cookie is set in client's browser as a file for particular amount of time,
    and session is stored in client's (machine) memmory
    No, the session is stored on the server in a file on the disk. It is not stored in the client PC memory.
    See my new CodingForums Blog: http://www.codingforums.com/blogs/tangoforce/

    Many useful explanations and tips including: Cannot modify headers - already sent, The IE if (isset($_POST['submit'])) bug explained, unexpected T_CONSTANT_ENCAPSED_STRING, debugging tips and much more!

  • Users who have thanked tangoforce for this post:

    Tpojka (10-28-2013)

  • #6
    Senior Coder doubledee's Avatar
    Join Date
    Mar 2011
    Location
    Arizona
    Posts
    1,092
    Thanks
    26
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by djm0219 View Post
    Quote Originally Posted by doubledee
    If this is correct, then what stops someone from modifying the Session Cookie to another ID, and thus hi-jacking someone else's session?
    Nothing other than the fact that it would be close to impossible to guess what someone else's SID is. Unless you are dealing with extremely sensitive information it is not a concern (that applies to a majority of things on "the web").
    But if I had 10,000 users, and someone changed their Session Cookie from "12345" to "67890" then they could easily have a "collision" with another ID and end up taking over it, right?

    Maybe the SessionID is a really long number, but if you have LOTS of active users, the chance of guessing one might still be pretty high, right?

    So isn't there some other mechanism to prevent just randomly guessing the ID?

    Seems like that would be a train-wreck for someone like Amazon.com or BankOfAmerica.com


    And, Tango, I hope to use SSL site-wide, however that has nothing to do with what I asked...

    Even with SSL, if I (Debbie) can just start editing *my* Session Cookie with the hopes I'll guess another valid SessionID (e.g. Tango's) then there is no security using sessions!!!

    I must be missing something, because this all seems to easy...

    Sincerely,


    Debbie

  • #7
    Senior Coder Dormilich's Avatar
    Join Date
    Jan 2010
    Location
    Behind the Wall
    Posts
    3,286
    Thanks
    12
    Thanked 344 Times in 340 Posts
    Quote Originally Posted by doubledee View Post
    But if I had 10,000 users, and someone changed their Session Cookie from "12345" to "67890" then they could easily have a "collision" with another ID and end up taking over it, right?
    itís a 64bit number, and thereís enough randomness (/dev/urandom) to not have collisions that easily.
    The computer is always right. The computer is always right. The computer is always right. Take it from someone who has programmed for over ten years: not once has the computational mechanism of the machine malfunctioned.
    Andrť Behrens, NY Times Software Developer

  • #8
    New Coder
    Join Date
    Nov 2011
    Location
    Ratio, Logic
    Posts
    61
    Thanks
    3
    Thanked 6 Times in 6 Posts
    Quote Originally Posted by tangoforce View Post
    Correct. Sessions do however use cookies so that the browser can identify the session identifier that the server needs to be using.
    Thought of session_id()...
    Quote Originally Posted by tangoforce View Post
    No, the session is stored on the server in a file on the disk. It is not stored in the client PC memory.
    ...which is cookie in browser.
    Thank you.

    This is just few articles I've read about it now:

    Session ID
    Brute-force search
    How is the PHPSESSID generated?
    session_id
    Sessions and security
    Choosing a session ID algorithm for a client-server relationship
    Cryptographically secure pseudorandom number generator
    Pseudorandom number generator
    Message authentication code
    Is it possible to have authentication without state

  • #9
    Senior Coder doubledee's Avatar
    Join Date
    Mar 2011
    Location
    Arizona
    Posts
    1,092
    Thanks
    26
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by Dormilich View Post
    itís a 64bit number, and thereís enough randomness (/dev/urandom) to not have collisions that easily.
    So the scenario I described in my OP is basically non-existent, and I shouldn't worry?

    Sincerely,


    Debbie

  • #10
    Senior Coder Dormilich's Avatar
    Join Date
    Jan 2010
    Location
    Behind the Wall
    Posts
    3,286
    Thanks
    12
    Thanked 344 Times in 340 Posts
    Quote Originally Posted by doubledee View Post
    So the scenario I described in my OP is basically non-existent, and I shouldn't worry?
    yupp. otherwise no-one would use sessions today (and Iím pretty sure other languages use a similar mechanism, since they use HTTP for web apps, too). itís just the difference between possibility and probability.
    The computer is always right. The computer is always right. The computer is always right. Take it from someone who has programmed for over ten years: not once has the computational mechanism of the machine malfunctioned.
    Andrť Behrens, NY Times Software Developer

  • #11
    Senior Coder doubledee's Avatar
    Join Date
    Mar 2011
    Location
    Arizona
    Posts
    1,092
    Thanks
    26
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by Dormilich View Post
    yupp. otherwise no-one would use sessions today (and Iím pretty sure other languages use a similar mechanism, since they use HTTP for web apps, too). itís just the difference between possibility and probability.
    Okay, just being sure!

    Thanks for the help,


    Debbie


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •