--- Aaron Todd <[EMAIL PROTECTED]> wrote: > Can anyone tell me how secure a session variable is.
It's 93% secure. :-) Seriously, session data is generally more secure than other data that you're likely to use. If you try to consider your data as being either local or foreign, I think you'll start to understand why. Things in $_POST, $_GET, $_COOKIE, $_FILES, and even some of $_SERVER come from the client, and therefore you are not guaranteed that any of it is valid. Session data is stored on the server, and unless you send it to the client (like echo a session variable), it isn't exposed like other data. What is stored in the session is up to you. As long as you have good data filtering rules prior to setting a session variable, then you can trust its format. There are, of course, caveats, but they are minor and distract from the point. One that is worth considering is whether you are on a shared host and store your session data in /tmp, which is the default. I have an article available that discusses such shared hosting concerns: http://shiflett.org/articles/security-corner-mar2004 > I have a database that stores a username and an encrypted > password which both are verifyed when the user logs in to the site. This is a good practice but actually falls under the topic of authentication. A good idea is to use a one-way algorithm, such as MD5, so that there is no risk of reversal (these algorithms must be broken by going "forward" and trying to find a collision). > But If I'm logged in, how easy would it be, if its even possible, to > change the session variable that holds my ID to someone elses ID > so I can get their data. Practically impossible. As I understand your implementation, this ID is a session variable, and these cannot be arbitrarily set by the user. The risk is more along the lines of things like session fixation and session hijacking. While I can't set the ID associated with my session, I can attempt to hijack someone else's session that has the ID that I want. Focus on this risk, because it's much more important. > If anyone has some good web sites on session security I'd really > like to read them. I try to write a lot on security and make my work available for free. I'm tired of seeing PHP being associated with poor security. Here are some articles related to session security: http://shiflett.org/articles/the-truth-about-sessions http://shiflett.org/articles/security-corner-feb2004 There is a better one published in the Aug 2004 issue of php|architect, but I can't offer it for free until 26 Feb 2005. If you happen to be reading this message after that date, you can try this link: http://shiflett.org/articles/security-corner-aug2004 I've also given a couple of presentations on session security, and the slides are available here: http://shiflett.org/talks/oscon2004/securing-php-sessions http://shiflett.org/talks/phpworks2004/php-session-security Another talk had information on session security and other popular topics: http://shiflett.org/talks/oscon2004/php-security This was the talk that had the PHP Security Workbook (which I will likely update for future talks): http://shiflett.org/php-security.pdf I hesitate to point people to slides, because I think they leave a lot of gaps. I only use them to highlight major points, and sometimes I'll even ask, "Does anyone know what's wrong with this code?" When you're only looking at the slides, you don't get such questions, and so you might think the code on the slide is good stuff. :-) Hope that helps. Chris ===== Chris Shiflett - http://shiflett.org/ PHP Security - O'Reilly HTTP Developer's Handbook - Sams Coming December 2004 http://httphandbook.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
