All geek questions in one place

What are the risks when storing data in a session?

I heard about cross-site scripting and that people can access cookies in an insidious way. So I was hoping that someone could answer a few questions. I want to take an example of storing something in a session in the cleanest way, but using a CMS such as Drupal. Say we have this:

$data = $fancyWebService->getSuperSecureDataThatOnlyTheCurrentlyLoggedInUserCanSee(); $_SESSION['basic_variable'] = $data;
  • If the user is now logging off from mysite.com to devious-site.com, is there a way to get data from "basic_variable" just knowing that this variable is called?
  • Is there a way that the current user can see the printout from the $ _SERVER variable and actually see all the content stored in it?
  • I read somewhere that the data in the session or in the cookies should be “encrypted”. In the above example, I am sure that the data is stored in the session and that this session is safe. Is this true, or is it only safe if HTTPS is enabled?
  • Drupal stores some information in cookies, if you decide to use cookies as a “session”, how does this affect the above?

UPDATE

Regarding question 2. I mean, if I enter the following into a php file:

 print '<pre>'; print_r($_SESSION); die();

(or just vardump session variable) ...

I get all the information that I store there, unencrypted. My question is, is there a way, in some way, the user can somehow find a way to access the session variable (except through it, exposing it to exposure), which would make the bad idea to leave the values ​​unencrypted?

+6
source share
3 answers

The grom user has a great answer that mentions ways to protect your session in PHP: fooobar.com/questions/35402 / ...

I would like to start by saying that PHP, especially version 5.xx, has come a long way in safety; however, there are still many potential things that can happen to your session data, as it is constantly being transferred between your server and client. Let you decide your 4 points individually:

'If the user is now traveling from mysite.com to devious-site.com, can someone get data from "basic_variable" there, just knowing that the variable is called ??

In fact, no. Your variables and variable names are stored on your server, and since the code is processed as HTML before being sent to the client, your PHP code never reaches the client. Data stored in variables that otherwise would not be transmitted to the client is safe on your server if someone does not gain access to your server or in any way undermines the security of your server. If your data in this variable is stored in a session or cookie, which is transmitted over the network / network to the client, it may be intercepted. This traffic is unencrypted by default, unless you have implemented OpenSSH through an SSL certificate or similar encryption scheme.

'Is there a way that the current user can see the printout from $ _SERVER and actually see all the content stored in it? ''

If you are an echo, or else program your PHP to expose the data stored in it. Again, if a variable is ever set somewhere where it is sent to the client and not processed in HTML or otherwise deleted before the HTTP response is sent, it is at risk.

'I read somewhere that the data in the session or in the cookies should be “Encrypted”. In the above example, I am sure that the data is stored in the session and that this session is safe. Is it or is it only safe if HTTPS is enabled? ''

Yes, HTTPS must be enabled and you must have an SSL certificate to encrypt data, otherwise all of your unencrypted HTTP requests / response can be sniffed, cross-site scripting attacks, domain codes, redirect attacks and the list goes on. SSL definitely helps prevent much of this.

'Drupal stores some information in cookies, if you decide to use cookies, how does this relate to the “session”? "

Cookies are stored on the user's computer. The data in cookies can be encrypted or hashed by your server so that it is stored safely on the client side, but anything is possible. If a potential hacker spoofs your domain, they gain access to cookies and everything in it. If a cookie refers to an active session, they simply faked their identity and accessed your site using the victim’s session. Poof. Identity theft, malicious user content editing, etc. Drupal definitely exists long enough to have mechanisms to prevent this; however, I am not a Drupal expert.

Hope this shed light. IMO best practices, do not store sensitive data in a session! If you store identifying information in your cookies, make sure you have some type of implementation to prevent local swapping, for example. in ASP.NET MVC I use the Anti-Forgery token that is offered as part of the framework. You want to insure a person who pretends to have someone through a cookie, there is another way to check the request with the specified cookie originating from your site / domain, and not another.

+6
source

The session ID is stored in client cookies, and no other domain can access the cookie of another domain, and the same two servers (two websites) cannot see each other's session (unless you store it on a shared server)

1: with a general approach is not possible, but there is a way. To make a session available on different sites, you must store the session on a shared server and must transfer your session identifiers to GET / POST. Write your own session_save_handler and save the sessions in the database. Access to the database is possible from several web servers, and you're done.

2: The question is not clear.

3: Yes, https can protect you from session hijacking.

4: The question is a bit unclear, follow this url to get the difference / Relevant between session and cookie

http://viveksoni.net/how-session-works-what-is-session/

+3
source

Cookies are only available in the saved domain where the cookie came from. capture is network dependent.

+1
source

Source: https://habr.com/ru/post/980853/

More articles:


All Articles