Posted by Dikkie Dik on 10/11/11 12:00

> For example:
> - A user logs in
> - Now set is: $_SESSION["user_id"] = 34;
> - If he opens his "Profile page", the websites collects all personal
> information from table users where user_id = 34
>
> But according to this article:
> http://www.governmentsecurity.org/archive/t13901.html
>
> It is easy to change $_SESSION["user_id"] to for example 78.
> So, that means that once you are logged in and change your own
> user_id, you can see personal information from other users.


I did not see that example. The cookie part of that page is very
unspecific, and has little to do with session cookies.

Google for "session hijacking" and "session fixation" to find out more.

In short, it is possible to pass another session id, thus changing to
another session. There is one thing that prevents it:

Session IDs are rather large, and sessions do not live that long. So
switching over to a random other session requires an absurd quantity of
luck.

However, if you can intercept the http traffic, you can mess up as much
as you like. You can send regular requests to the webserver with a
cookie to keep that session open.
If you build the site on https instead of http, the cookies will be
encrypted also.

A "real" session cookie only has an ID to a session, not live data. That
data remains on the server if you do not send it to the client. In fact,
I think the session is safe to store real IDs, but parameters are not.
So I usually hash all IDs before using them for client communication.

Best regards

[Back to original message]