Is it possible for a malicious user to edit $_SESSION?

Question

I save some important info in $_SESSION, not in $_COOKIE. So, my question, is it dangerous? Or is it protected from malicious users trying to edit

Answer 1

$_SESSION is stored server-side. The best a hacker could do would be substitute another user's session for the existing session, but the hacker could not insert arbitrary data into $_SESSION. $_COOKIE is, however, stored client-side, so a hacker can insert arbitrary data into the cookie, by just editing the cookie.

Answer 2

Cookies are sent via the user-agent every time a page is requested. The user-agent doesn't need to be a browser. It could be a small shell script. Even if it is a browser, there's an "edit cookie" extension for Firefox.

Answer 3

By default, the $_SESSION is already backed by a cookie with the name phpsessionid (so that the server is able to identify the client and associate it with one of the sessions in server's memory). If a hacker knows the cookie value of someone else and copies it in its own cookie with the same name on the same domain/path, then the hacker has access to the same $_SESSION. The cookie value is however long and random enough to minimize the risks the session being hijacked within half a hour (the default session timeout).

Answer 4

$_SESSION is stored on your webserver, so it's not possible to directly alter it via the web. Of course, your PHP application can update $_SESSION, so it still might be possible for an attacker to trick your application into doing something to $_SESSION that it shouldn't - it all depends on the specifics of your application.

$_COOKIE is stored on the user's browser, which means that the user has the power to change their own cookies.

One of the main uses for cookies is authentication. A user logs in and information is stored in $_SESSION. A cookie (stored in $_COOKIE) records the session id of the user so that your application knows which session belongs to the logged-in user.

Answer 5

Yes Hacker can hijack the session you can use session_regenerate_id() , or stole it look if you are admin and you logged in ,( session is in the server ) hacker have it via xss = > will make cookie in his pc with this session and log , change the pass or add admin , besore the end of the session

---

cookie can stole too , look this code setcookie("admin","admin_log",time()+3600); if hacker know the code like opensource he can log as make cookie by firefox addons as the cookie name and value

Answer 6

If you're worried about people altering sessions (session hijacking) look into session_regenerate_id()