( Fully aware of the amount of posts I seem to do, I Prefer multiple peoples opinions rather than some random website )

Hi Guys,

After recently looking at another post, Im wondering just how secure keeping data in a session is?

As far as im aware, Its all server side and cant be hijacked? or injected?


if i put data into a session and then rely on said data on other pages for sql querys etc.
Can i trust it hasn't been tampered with remotely ( assuming the server itself hasn't been compromised )


Your thoughts?

-G

A session only exists between your browser and the server. Even other browsers on your machine cannot read the same session data.

But can someone inject a session? or modify it ? or even view it?

Quote:

Even other browsers on your machine cannot read the same session data.

?? .....

OK, probably a stupid question then ty

i think session store has secure. because it store temporary file and unique name on server.

Quote:

But can someone inject a session? or modify it ? or even view it?

Yes, if you give them the possibility.
It's depending on how you code.
Imagint that you have a page, named session.php, that is like this:

PHP Code:

<?php
foreach($_GET as $key=>$val){
    $_SESSION[$key]=$val;
}
?>

Then yes, they can inject whatever they want into the session.

But there is nothing that allows a user to alter his session without you knowing it or doing something that explicitly permits him to do so.

Ok thats good.

i dont put data into sessions based on user input. Its always up to the script what to put in and cannot be infulenced.

I just wanted to make sure there was no way for them to send odd stuff and modify sessions.

While i do understand how the work , where it stores them and how to retrieve them, I have worked in the IT industry for many years now at a very high level and have come across MANY seemingly impossible to do things done.

So just wanted to be sure before i get myself in a situation i could of steered away from.

Thanks
G