Reputation: 71
Is it possible to fake a session in PHP by setting cookies on client side using JS?
Supposedly, I am not using HttpOnly cookies for my session on a PHP web app. If a visitor is on a page that uses PHP sessions, they can see the session cookies. In addition to viewing, they can also delete or edit it.
The next case involves the user being on a page (say, normal page) on my web app that doesn't uses sessions and the normal page contains a link to a page which uses sessions (session page), having, session_start(). On the normal page, if a cookie is set (say using the console) with the same name as the one I use for session page, and the click is made on the link to the session page, what happens when I do session_start() on the session page?
Does it create a new session, or tries and map to a session with the value in the cookie being sent from the normal page?
If it maps, to an existing session value, then the session is said to be hijacked. What happens in the case when it doesn't map? Does it create a session cookie with a new value?
Even if I use HttpOnly for my sessions, it is sure that the session cookie cannot be read or manipulated using JS on the client side. But on the server, does the server read the same (HttpOnly) on the session cookie being sent to the server by the client and invalidates the session, in case it wasn't HttpOnly? Or does it try to map the value to existing sessions on the server?
Hope I was able to make it clear.
Upvotes: 2
Views: 4081
Answers (1)
Reputation: 345
Sessions work in PHP like this.
When the user first visits the site and the PHP has session_start() it checks if the user is sending a cookie with a session ID. If they aren't then it creates one and sends it so the user stores it in a cookie. Then when the user visits another page session_start() can check if they already have a cookie and this time they do. Session cookies (stored on a user pc) are cleared when the browser is closed.
session_start() isn't creating a new session every time it is called. What it is doing is pulling in information about that session so it can be used further down in the code. When the user sends the session ID from their cookie, session_start() then pulls in the information stored about this session from the web server so then you can do things such as if you stored adminloggedin as true or false in their session. If the user didn't send a session ID then it doesn't pull any information from the server and just creates an ID and sends this back to the user to store in a cookie.
You don't need to use session_start() on every page however if you needed to check something from a users session such as if they are logged in then you need to call it in order to get the data about their session.
All information about a session is stored server side. For example, if I said the user was logged in and stored this in the session then this can be checked to allow access to admin pages. The user cannot fake this as all they are sending is the session ID and all the data about the session is stored server-side. They are not storing a cookie with information about the session, all they store is the ID for the session which is sent across.
Upvotes: 2
Related Questions
- How to set/change a cookie via php?
- set cookie in php and run the session through ajax
- php set session with cookies
- Can you use javascript to change a php session variable?
- create cookies with session php?
- Setting a cookie in an AJAX request?
- Is is possible to spoof a session with JavaScript + Cookies?
- Faking Session/Cookies?
- Checking PHP session using Javascript
- Using jQuery AJAX to communicate with server, can I set a cookie/session?