Session injection?

php security session
12,236

All session variables in PHP are stored server side. The client stores a cookie that references which session should be used, and then the server looks up the values for the session. It is safe to store is_logged_in in your session as well as the user id.

What you should be aware of is if another user gets a hold of another user's session cookie, they will be able to imitate that user until the session times out. One simple solution is to link sessions to IPs.

Share:
12,236
Luis
Author by

Luis

Updated on June 27, 2022

Comments

  • Luis
    Luis about 2 years

    How should I host the id of the user on the session? just to insert the id? I mean (for example):

    $_SESSION['id'] = 1;

    There isn't a way to change it by the user himself (as cookie..)? Because if so, he can change to any id.

    One more question about it - how can I check if user is logged in (with sessions)? I created a session:

    $_SESSION['is_logged_in'] = true;

    Again, can't the user just create a session which his name is 'is_logged_in' and his value is true? or just the server has a control about the value of the server?

  • another
    another almost 7 years
    Check @Charles answer. "locking a session to an IP address may accidentally alienate people. "
  • Rick
    Rick about 4 years
    I must say that I have used this method before as well, in conjunction with the user-agent. Problem with IP addresses is that mobile users on the go will/can experience regular logouts.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Codeigniter - check if user is logged and exists (it's a real user)
Secure and Flexible Cross-Domain Sessions
What are the risks of PHP sessions?
PHP $_SESSION for multiple users at once
Why is the standard session lifetime 24 minutes (1440 seconds)?
How to properly add cross-site request forgery (CSRF) token using PHP
"Keep Me Logged In" - the best approach
Preventing session hijacking
Understanding session save path as no value and security
regenerating session id