PHP PHPSESSID exploit confusion

Question

I am confused about the PHPSESSID exploit. If I change document.cookie to another active user's (on a simple social media site like youtube or instagram [just an example]) PHPSESSID, will the page reload with me being logged into that user's account? Will I also need to know that user's password? Note: I will not actually do that but I want to learn what would happen.

Answer 1

The answer depends on the target site's security checks.

If the site assumes that the PHPSESSID cookie is enough to authorize access, then yes stealing someone's session would be sufficient to impersonate her, without the need to know her password.

Sites often have additional measures though: they might check whether other parameters such as the IP address or the User Agent have changed during the session and if they detect such a change, invalidate the session and deny access.

Sessions typically also have an expiration, so that if you obtain a session cookie, say from a browser that has been left unattended for hours, the site may deny access because it is past expiration. You see this often with banking sites that will show you a popup telling you that your session expired or is about to expire.

Finally, if a user logs out, a good site will destroy the session. Even though you have the PHPSESSID cookie, when you present it to the server it won't find the matching session because it would have been destroyed.