is this a secure way, assuming hacker can write his own session value [Archive]

Click to See Complete Forum and Search --> : is this a secure way, assuming hacker can write his own session value

sakherq

10-01-2007, 07:21 AM

i heard from a post here that some hackers can write their own session values
in any web site if it is not secured by SSL authentication.

//correct me if iam wrong

i thought about some way to give sessions to users
with values generated by some encryption algorithm.
and every web page in my web site should check if that value in the session
can be a key for the same algorithm so i can make check if the given is not generated using my algorithm

i think many sites use such way, by giving a key to the uses, that can be seen in the url.

// another issue
is the hacker able to reach the folder that contain my web site php files
so he can see the algorithm and generate keys to act as admin in my web site for example.

valenok

10-01-2007, 04:49 PM

1. you are wrong. Nobody can rewrite sessions data. read what is sessions
in some cases he can switch sessions and face you under mask of another user.
2. If he could read session data, he could see your key and use it with another
corrupted data.
3. No. while your server is up and working properly, they cant reach the php sources.
The can try fail your server.

sakherq

10-02-2007, 01:39 AM

I can tell you a program that will allow you to send arbirary requests: fiddler. It's a great debugging and analyses program AND a newbie hacker's best friend. which give u the ability to write your own session value .

valenok

10-02-2007, 04:34 AM

You can't edit session's data !
Nor that prog. .

NightShift58

10-02-2007, 04:36 AM

You don't have to...

All you need is the cookie that identifies the session and the server will deliver the rest to you.

Not that easy, but basically, that's the way it runs.

valenok

10-02-2007, 04:38 AM

All you need is the cookie that identifies the session and the server will deliver the rest to you.

You even don't need. PHP takes care of it for you.

NightShift58

10-02-2007, 04:45 AM

It won't do that unless it's my session.

MrCoder

10-02-2007, 06:27 AM

Does PHP use the IP address of the client when managing sessions?

If the uses changes his IP will his currently active session become invalid?

sakherq

10-02-2007, 06:47 AM

i don't think so ..

valenok

10-02-2007, 06:52 AM

It use ip+cookie
But it's quite hard to guess a string like
PHPSESSIDjfiowebkashij2h9u32gbjvb49t
and change the ip to the appropriate ip

--

It wouldn't do what ?

Jeff Mott

10-02-2007, 09:48 PM

Session data in PHP is saved on the server, not the user's computer. So no, they can't edit that data.

They can send a different, fake session ID, but they would need to pick one that's actually being used at that very moment. A hacker would have better luck trying to guess the admin's password than trying to guess a session ID.