Session data in php

Asked

Viewed 122 times

4

I am using an SSL certificate, and wanted to know if it is possible for the user to see the data saved in the session?

For example, I have a variable called config, where I keep some user access settings. Can it change these values somehow? With cookie from to do this by own browser.

I wanted to know if this is possible with a session because the data is on the server.

1 answer

4


Session data stays on the server, no direct access by an unauthorized third party.

A possibility to gain access to a particular session is session hijacking, known in English as "Session Hijacking".

A session requires an ID. This ID is saved in a cookie by the user’s browser. Another malicious user, in possession of the victim’s computer, can simply copy this cookie to another machine and thus have access to the session opened by the victim. I mean, this is a session hijacking.

Consult by searching the site: /search?q=sequestro+sess%C3%A3o

Another way to literally steal sessions is for an intruder to gain access to the server. An experienced attacker goes straight to obvious locations where he can get valuable data. One of these locations is the folder where sessions are saved. Many programmers save sensitive data without encryption, remaining in plain text. That’s papaya sugar for a hacker to get passwords from hundreds or thousands of users. In more crude cases there are those who save up to credit card data. Believe it or not, this nonsense happens.



Obs: SSL does not increase security, it is indifferent to this case.

  • "SSL does not increase security, it is indifferent to this case" exactly. For this case, SSL has nothing to do. SSL only increases security in case of data interception.

  • Is there any way to improve security against data theft?

  • click on the link present in the reply....

Browser other questions tagged

You are not signed in. Login or sign up in order to post.