php - Is it possible to "pirate" a session variable (I do not want to know how)
Get the solution ↓↓↓Solution:
No, unless:
- The attacker had access to the storage of the session variables (usually the filesystem of the server, but could also be e.g. a database)
- The attacker intercepted a session cookie of a more privileged user.
- The attacker successful fixated the session of a more privileged user (see session fixation attacks).
Answer
Solution:
From what you've described I assume you aren't storing the permission in a cookie. Therefore, the only way they could get access would be to guess/brute force an administrators session id or use some cross-site scripting attack. If your session id's are sufficiently long the first method would be very hard to accomplish.
Answer
Solution:
The higher risk comes from an attacker stealing an active session, you can find about it here:
Answer
Solution:
Your session variables should be safe because the session is stored on the server. However, in order to relate a specific client with a specific session, a cookie is usually set that contains a session ID, and an attacker could try to access a different user's session by munging their session ID cookie (either by brute force or by somehow capturing someone else's cookie).
Answer
Solution:
It depends on how you are storing the session. If it is in the URL, then yes. If it is in a cookie, then maybe.
Answer
Solution:
Unless there's a security flaw in your app, someone can't just up and change session variables -- those are stored on the server, and the client never has direct access to them.
What they can do, however, is change their session ID by going to a URL like http://your.site.com/?PHPSESSID=2342f24502ade525 . The potential for abuse there is twofold: (1) if they happened to know a logged-in user's session ID somehow, the session ID would let them impersonate that user, giving them all the access that user has; and (2) If they can trick someone into going to a URL that has a session ID attached, and that person logs in, they now know that user's session ID (because they provided it!), and we're back to (1).
Share solution ↓
Additional Information:
Link To Answer People are also looking for solutions of the problem: php_network_getaddresses: getaddrinfo failed: temporary failure in name resolution
Didn't find the answer?
Our community is visited by hundreds of web development professionals every day. Ask your question and get a quick answer for free.
Similar questions
Find the answer in similar questions on our website.
Write quick answer
Do you know the answer to this question? Write a quick response to it. With your help, we will make our community stronger.