Are sessions secure?

Ask about general coding issues or problems here.

Moderators: egami, macek, gesf

Post Reply
New php-forum User
New php-forum User
Posts: 164
Joined: Tue Aug 27, 2002 8:25 pm
Location: Ontario, Canada

Mon Sep 02, 2002 4:14 pm

I've been reading about PHP sessions and they don't seem secure... so I was wondering all of your opinions... Of couse if its some simple variable its no big deal, but other than that, maybe I should stick with cookies :?

New php-forum User
New php-forum User
Posts: 67
Joined: Tue Jul 09, 2002 8:45 am
Location: East Coast, USA

Tue Sep 03, 2002 10:56 am

How dont they seem secure? They are not sent across the internet and the only way to obtain their data without you is to hack the actual server itself (and then you have to know where the session data is kept). I noticed by default its in the /tmp in Linux, and wherever in Windows (I believe its the session.save_path in the php.ini file), but this is easily changed. Im not the greatest in either security or webserver administration. But I believe as long as you have a secure server, your session data should be just as secure.

Just my opinion :)



Tue Sep 03, 2002 11:12 am

A session basically works by the server placing a cookie on your PC with a unique code (the session value). Every time you access a page from the same site, your browser sends back the cookie values before it requests the page. The server sees the session value, and also uses any session variables which are stored on the server using the same session ID! It then generates the page and sends it back to the user!

So sessions are basically secure per se, until someone guesses your session ID (which is a 32 alphanumeric character) while it's active or hacks into the server!


Tue Sep 03, 2002 12:39 pm

keep also in mind that when sessions are working via the URL (when user has cookies disabled), the user may copy the session id and send that to another user.....

Post Reply