user260019
Reputation: 553
Is cookie PHPSESSID the only key to for a $_SESSION in PHP?
If it's true,and I know the value of PHPSESSID,can I fake that user?
Upvotes: 2
Views: 2529
Answers (1)
Gordon
Reputation: 317197
Kind of. If you know the Session ID you can hijack her session.
You could also transparently pass the Session ID via the URL by enabling --enable-trans-sid in your PHP Ini, which makes accidental session hijacking more common, e.g. when people send links around that contain the SID. So you're better off with Cookies as they are much harder to steal.
However, you can rename PHPSESSID to a different key to make attempts at guessing the key somewhat harder or use custom session handlers that do additional checking on the request, e.g. check the IP or against another cookie.
See
- http://www.php.net/manual/en/book.session.php
- http://www.php.net/manual/en/session.idpassing.php
- http://www.php.net/manual/en/session.security.php
- http://phpsec.org/projects/guide/4.html
- http://shiflett.org/articles/session-hijacking
- http://en.wikipedia.org/wiki/Session_hijacking
Upvotes: 3
Related Questions
- What is PHPSESSID?
- Cookie less sessions in PHP
- PHPSESSID not being saved to cookie
- PHP Session Handlers and PHPSESSID generation/verification
- Is it save to use the session cookie PHPSESSID
- Do PHP sessions set any cookies?
- PHPSESSID via get
- phpsessid in cookie over https
- $_SESSION in PHP
- PHP session cookie sessionid