I am working on a project where I am using PHP_SESSION, Somewhere I heard that PHP_SESSION are quite unsafe for passing valuable data so I have to know what are the security flaws, how it can be hacked and how to protect yourself from them, Every Simple, Brief and Usable answer should be appreciated.
Asked
Active
Viewed 569 times
1 Answers
2
The $_SESSION variable in PHP is a temporary block of memory assigned to each specific user separately. Its purpose is not to be secure, it is meant to store session information.
If you are thinking of using it to store long lasting data, or data that needs to comply with the CIA triad I suggest you look into something else. There are variables in PHP's config related to garbage collection that may affect the life cycle of your session data, but most importantly, all session data is stored in the /tmp folder (unless configured otherwise), so if an attacker gains access to the file system they will be able to fetch all content from the $_SESSION variable of every user.
You may consider instead, storing an encrypted version of everything sensitive, as explained here
Another thing to consider is to override the default way of handling $_SESSION, in PHP you can define your own session handling functions. With this you may store your sessions in a remote database for example, adding an extra layer of security. Of course if your file system is compromised the log in credentials to that database most likely will be compromised as well, but at least its an extra layer of security.
-
The Data passed using session will strongly encrypted by various complex encryption algorithms but still I think PHP_SESSION is not safe as encrypted data can also be decrypted, So according to you which is the safest function in PHP and How to use it for passing encrypted and sensitive data. – Abhinav Shrivastava Jun 01 '15 at 08:33
-
It depends on each case, you mentioned 2 different scenarios: 1) Email. 2) Passwords. Passwords are one-way encrypted, but emails need to be decrypted so they can be read. Because of this the mechanism and implementation is different in each. For passwords I recommend password_hash with bcrypt, for email I think mcrypt with rijndael 128 is still considered safe – Purefan Jun 01 '15 at 08:42
-
For Hacking PHP_SESSIONS Hacker must have to gain access to the server side system's folders which is not possible till then the Hacker doesn't crack the password of the server, It can't be hacked from client side. Am I Right? – Abhinav Shrivastava Jun 01 '15 at 08:47
-
I do not dare to say that something cannot be hacked. Try to look at all the components in your system: the OS, the webserver, even the shell parser, they have all been exposed for security issues. An ounce of prevention is worth a kilo of regret. – Purefan Jun 02 '15 at 10:04