Hello There, Guest! Login Register


Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
PHP session security questions
#1
Hi[font=宋体],[/font]

So i was looking into how to make my site more secure (specifically PHP sessions) because at the moment i'm running user id and some other data through the session (avatar...etc) and from what i could figure out on the interwebs is that PHP sessions are not visible to users but the PHPSESSID is.

My question is, how can a hacker hijack my PHP session, what is the process they need to go through to obtain that session data? i have tried to use wireshark to test my site and i couldn't see any session data but only cookies (something that's scary is seeing my password when POSTing to the log-in page.[font=宋体] Thanks for your advice![/font]
Reply
#2
I'm not an expert on the subject but I believe in general as long as your data is stored on the server its relatively safe: the two biggest vulnerabilities being during POST or GET operations.
Quote:#taken from php.net

There are several ways to leak an existing session ID to third parties. A leaked session ID enables the third party to access all resources which are associated with a specific ID. First, URLs carrying session IDs. If you link to an external site, the URL including the session id might be stored in the external site's referrer logs. Second, a more active attacker might listen to your network traffic. If it is not encrypted, session IDs will flow in plain text over the network. The solution here is to implement SSL on your server and make it mandatory for users. HSTS should be used for this.
Read more on php sessions & security
Reply
#3
PHP is very hard to write securely especially with a database/backends.
And no it is not 'safe' to keep your Databases on your server, but 'safer' try limiting all connections to 'localhost'.

Let's Encrypt provides free SSL certificates, don't forget to donate to the Let's Encrypt Foundation!
The nomenclature of Course C Hosting origins from the very potent C Course IPs these are accountable to influence the performance cheap windows vps of sites in Seo hosting and online marketing. With out the Course C IPs, Seo hosting is truly not possible.
Reply
#4
Try checking out how the new frameworks are handling sessions, such as laravel, codeigniter etc. They have a pretty secure session handling encrypted with a specified encryption key, although I must warn you, that securing sessions doesn't secure your users to Man in the Middle attacks.
Reply
#5
maybe you can upgrade your script to latest version if you use open source script,
or you hire a coder to improve your script's security.
just another...
Reply


Forum Jump:


Users browsing this thread:
1 Guest(s)