Re: Is it safe to store user_id in Session?

---

• From: Erwin Moller <Since_humans_read_this_I_am_spammed_too_much@xxxxxxxxxxxxxxxx>
• Date: Thu, 17 Jan 2008 11:41:49 +0100

---

pim@xxxxxxxxxxxx wrote:

Dear All,

What I was wondering is how safe it is to store user_id or username or
anything like that in session. I usualy store a bunch of info in a
session so I do not need to search the database all the time. However,
is it easy to change a value after being logged in?

For example:
- A user logs in
- Now set is: $_SESSION["user_id"] = 34;
- If he opens his "Profile page", the websites collects all personal
information from table users where user_id = 34

But according to this article:
http://www.governmentsecurity.org/archive/t13901.html

Hi,

I think you didn't read that article right.

I think you refering to this part. Is that right?
<quote>

2. Bypassing Session Cookies

OVERRIDING BASIC SESSION COOKIE AUTHENTICATION

Most of the time session handling is done with the use of cookies. The cookies tell the webpage who you are and what you have access to and what you don't have access to. If the page does not handle session cookies correctly a hacker might be able to change their identity to that of another user's. Cookies are stored in "window.document.cookie". With javascript we are able to erase,edit,create cookies for any website. This task is more complicated than regular types of attacks. I will not go into great detail about how it's done.

To View the Cookie:
javascript:alert(unescape(document.cookie));

<snipped>

So If You are logged in as "John Doe" in www.ima13370h4x0r.net and your session cookie reads:


SessionData=a:3:{s:11:"SessionUser";s:5:"75959";s:9:"SessionID";i:70202768;s:9:"LastVisit";i:1078367189;}

The cookie is actually serialized but you should be able to recognize "75959" as your user_id. Some of the time you will find a website that stores data (like user_id) in cookies but does not typecast the data. This is a serious hole in the site's code because any user is able to change their user_id to any other user or administrator user_id.

Changing the cookie value is easy once you have declared the window.c function. First change s:5:"75959" to s:x:"ADMINID" where x is the length of the new value. So if you want to change 75959 to 1. You must change s:5:"75959" to s:1:"1" :-) Sometimes you will need to change 75959 to "13 or 1=1" in order to bypass any WHERE statements any sql session queries used to keep you logged in the website.

</quote>

It is easy to change $_SESSION["user_id"] to for example 78.

No, it is NOT easy.
The article describes the cookie, which is NOT the session.

Only idiots store sensitive information into a cookie. So what is described in the article only works for bad php scripts.

With Firefox for example, you can view/delete/modify each and every cookie very simple.

PHP uses the cookie ONLY to pass around a string named PHPSESSID.
That string is used by PHP in subsequent requests to identify the user.
The actual information stored in a file on the server, NOT on the client.

So if my php script decides to put this in your session:
$_SESSION["youneverknow"] = 42;

a visitor has no clue it is there, since this information is NEVER send to the client. Only the PHPSESSID is send.

So to hijack a session, which IS possible but a lot harder, you need to know the value of PHPSESSID cookie of somebody else.

So, that means that once you are logged in and change your own
user_id, you can see personal information from other users.

Yes, in the stupid setup described, that is possible.
Any PHP programmer with any experience won't do it in that way.

Regards,
Erwin Moller

Is this really possible? If so, I can imagine I would use a temporary
table with temporary hashes where user_ids will be stored next to a
temporary hash. However, this is much more work and database traffic
which will slow down the system dramatically.

So... Is $_SESSION["user_id"] = 34 safe enough?

Kind regards,


Pim Zeekoers

.

---

• References:
  • Is it safe to store user_id in Session?
    • From: pim

• Prev by Date: Re: PHP Instalation problems. Browser doesn't know what to do
• Next by Date: Smarty Templates from Database
• Previous by thread: Is it safe to store user_id in Session?
• Next by thread: Re: Is it safe to store user_id in Session?
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Sessions ... click the link and in aoltest3.php the session variable is visable. ... Registered serializer handlers php php_binary wddx ... session.name PHPSESSID PHPSESSID ... see the PHPSESSID, in a cookie, or in the URL. ... (comp.lang.php) Re: [PHP] module and access rights ... > so you store in your cookie the username and the check string. ... How, exactly, is that any more secure than a standard session identifier? ... >> because i can store in DB the sessionID, and check it to every DB ... (php.general) Strange difference when cookie disappears from $_REQUEST in HTTP vs. WAP ... with how PHP interacts with MySQL, ... Header has been generated to destroy your login session cookie, ... the cookie so it doesn't show up in $_REQUEST. ... (comp.lang.php) Re: php session GC error ... After this number of seconds, stored data will be seen as 'garbage' ... how do I explicitly tell PHP in the ini what directory to use for session ... Lifetime in seconds of cookie or, if 0, until browser is restarted. ... (php.general) Re: [PHP] module and access rights ... but i would be very glad to know how can i REALLY authenticate the user. ... for example, user is logged, so i have in the cookie his login name. ... >> regarding how to store user login and password. ... > in the session - that's as secure as it's gonna get. ... (php.general)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(14)