I was always under the impression that PHPSESSID is a cookie generated by the session_start() function in PHP, and from what I've been told, its more secure than normal cookies in that the PHPSESSID cookie is all the $_COOKIE encoded into one cookie, leaving it impossible to be decrypted manually. Correct me if I'm wrong, but if I make a login system, and put the login name and password in $_SESSION, and if a hacker steals the victims PHPSESSID cookie, would the hacker be able to decrypt it and retrieve the login details?
You got the cookie on the browser... which contains an ID like: #ASDASD
That cookie saves that ID and carries it over to other pages that user visits on the SAME SITE.
That is ALL that is saved on the users computer... just an ID...
SERVER
Now... when the server gets that ID... it saves a file called ASDASD... that is where all the data saved in $_SESSION is stored. So clearly, the user can not get access to the session data
SECURITY
What may be of more concern is a trick called "session hijacking" which is when someone steals that ID from one browser... and runs it in another browser... in effect taking over that users session... but they still will not be able to see what is in the session itself unless you do something stupid like: print_r($_SESSSION)
To help stop session hijacking you can lock a session to stuff like an IP address... so if someone accidentally posted there session id in a URL (ever seen a URL like: www.website.com/index.php?SESSIONID=dsahdjsdhslikdsdgsads)... then the IP's wont match and the session will be destroyed or the attacker issued a new ID.
You can help stop sessions being accidentally passed around by forcing session id's to be saved in cookies only via the PHP.INI file.
Kind regards,
Scott
EDIT: session_start() simply makes the connection between $_SESSION and the file on the server that the session data is saved to, and creates a session id if the user doesn't already have one.
Thats what sessions are supposed to do for security reasons.
Session cookies have an expire time of 0... meaning they expire when the browser is closed. Just change that setting there is some stuff in the php.ini file to help you with it.
Select what you want to copy and in doing so you will keep the formatting when pasting it.
Also, I noticed this site keeps me logged in even after I quit my browser. What time would I set the session span to if never wanted the users to be logged out?
Well, even if a browser does keep the session, the server will still delete it after a period of inactivity. The only way you can keep your session is if you accidently delete your tab or browser and reopen it quickly.
You do not have permission to post replies to topics in this board. If you want to join in with discussions and create new topics please register. If you want to register your own free account with us, please click here.
Not enough time to do something productive I run out of ideas Too hard to show people my creations Everything i do has too many errors, and it's too hard I don't get bored!!!
please login to cast your vote and see the results of this poll
