All geek questions in one place

Is there any security advantage for encrypting session variables?

Could, for example, hijack a session? If not, what can I do to ensure the security of my php sessions?

+6
source share
2 answers

What is sent to the client is a session identifier, not a session variable. These session identifiers are usually set as cookies in the client. Of course, if someone receives a session identifier (for example, using a cross-site scripting attack) from a user's browser or client, he can set the session identifier in his own client and impersonate another user.

However, session variables usually refer to values ​​in the $_SESSION . See http://www.php.net/manual/en/function.session-start.php for an example. These values ​​are never sent over the network to the client.

Regarding the protection of session identifiers, I already explained in the first paragraph that they are stored as cookies in the browser. In an HTTP session, cookies are transmitted between the server and the client in clear text. This is vulnerable to eavesdropping (for example, the guy on the router through which your packets go through can grab your packets and read the session identifier from it). The best way to solve this problem is to use HTTPS instead.

+13
source

I think it depends on what you mean by "security." If your application is on a shared host and your session data is stored in some insecure central location where it can be opened for reading by other users, then yes, technically there are some security benefits for encrypting your sessions. However, it would be much better to use your time and efforts to simply write your own session storage engine so that you do not store them in the first place, an insecure location; especially considering how easy it is to make encryption completely wrong and give yourself a false sense of security.

0
source

Source: https://habr.com/ru/post/907770/

More articles:


All Articles