Lets say the client logs in successfully and the server ( Apache / PHP ) creates a session, where is stored the userid:
$_SESSION['userid'] = $UseridFromTheDB
What does this line exactly?
- Stores the userid on server-side memory
- Stores the userid on client-side cookie
- Both 1. and 2.
I think the 3. is the correct, because I did not used any else code to make the session on server and make the cookie on client. So as I said all I have to do to use $_SESSION global variable and it will make the magic for me. It will store the session variable in the memory on server-side and it will make the Set-Cookie header, so the userid will be stored on clien-side as a cookie.
So my question is, what if I modify the userid on client-side? For example if I see 100 as an userID and I will modify it to 101, then the next request will be made with userID 101, right? The server will give me the content, which belongs to 101 userID?
CodePudding user response:
It stores the session both in the server-side memory and client-side cookie.
No. The session information (e.g. all the variables) are stored in a file on the server only by default. The cookie is called PHPSESSID and is merely a unique ID that points to one of the files on the server. The name of this cookie can be changed by changing the session.name option in PHP's runtime configuration, so it may have a different name per website.
These files are stored in the tmp/ directoy of the server by default. Unless you have access to the folder that these files are stored in (a massive security flaw), there is no way to get access to them.
When I create a PHP-file with the contents below:
<?php
session_start();
$_SESSION['userid'] = 1;
$_SESSION['username'] = 'user1'
It created a cookie in my browser with the name: PHPSESSID and this content:
11j9etj85pfnq36h15qb9mu60v
This corresponds with a file called sess_11j9etj85pfnq36h15qb9mu60v in the tmp/ folder of my XAMPP install. This file has the contents below, which as you can see contains the variables present in the $_SESSION global.
userid|i:1;username|s:5:"user1";
What if I modify the userid on client-side?
How? Unless the website has a major security flaw that allows you to execute PHP code, or does something ridiculous like setting the $_SESSION['userid'] based on a form input, you have no way to modify it.
You could copy the session ID from one browser's cookies to another, but this is a whole other issue and not related to the session security. It may not even work if the website checks the user-agent and IP-address of the connection and logs you out if they don't match the information that the session was originally started in.
For example if I see 100 as an userID and I will modify it to 101, then the next request will be made with userID 101, right?
No, since the session is not based on a variable within it. You would need to correctly guess a PHPSESSID to hijack another user's session. Again, unless the website has a major security flaw, there is no way for you to change variables in the $_SESSION superglobal. Most somewhat-modern web frameworks like Laravel encrypt the session cookie and make the length longer than the default length, making it even more impossible to guess one.