Are sessions secure?

[Xerpher]

I've been reading about PHP sessions and they don't seem secure... so I was wondering all of your opinions... Of couse if its some simple variable its no big deal, but other than that, maybe I should stick with cookies

[elitecodex]

How dont they seem secure? They are not sent across the internet and the only way to obtain their data without you is to hack the actual server itself (and then you have to know where the session data is kept). I noticed by default its in the /tmp in Linux, and wherever in Windows (I believe its the session.save_path in the php.ini file), but this is easily changed. Im not the greatest in either security or webserver administration. But I believe as long as you have a secure server, your session data should be just as secure.

Just my opinion

Will

[Jay]

A session basically works by the server placing a cookie on your PC with a unique code (the session value). Every time you access a page from the same site, your browser sends back the cookie values before it requests the page. The server sees the session value, and also uses any session variables which are stored on the server using the same session ID! It then generates the page and sends it back to the user!

So sessions are basically secure per se, until someone guesses your session ID (which is a 32 alphanumeric character) while it's active or hacks into the server!

[DoppyNL]

keep also in mind that when sessions are working via the URL (when user has cookies disabled), the user may copy the session id and send that to another user.....