Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
S
S
slava kk2019-01-14 16:34:35
PHP
slava kk, 2019-01-14 16:34:35

Can a php session be stolen?

Can another person find out the session ID and assign it to their php script via session_id('xxxxxxxxx'); (and on my server) access my site's session data?

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

5 answer(s)
Report
D
Decadal, 2019-01-14
@slavchickalpha

No, in the way you described - no. Identification occurs through cookies, and they, in turn, are tied to a specific domain.
I registered it in my script - I got a cookie on my server - well done, but there is nothing there.

Report
F
FanatPHP, 2019-01-14
@FanatPHP

As always, the body of the question says something completely different from what is written in the title.
We answer both questions

Can a php session be stolen?
with normal site settings (httponly cookies, SSL) - almost impossible. Only a Trojan from a computer. But if there is access to a computer, then it’s already somehow small to bother with sessions.
Although I'm not very sure about browser extensions/toolbars. I think they have free access to cookies.
Can another person find out the session ID and assign it to his php script to get access to the session data of my site?
Of course it can.
Only not in the described way, of course. Identification occurs through cookies. Accordingly, having learned the ID, you just need to send the desired session_id from your server or browser.

Report
V
Vitaly Mironov, 2019-01-14
@nor1m

As you described, no.

Report
I
Igor Rusinov, 2019-01-24
@RusinovIG

If we are talking specifically about php sessions, then information about them is stored on the server, and, accordingly, it cannot be substituted into the request from the outside. Another issue is that often a session means an authorization session, when you store a cookie, by which the server receives information about the user and gives access to the site. In such a case, if you steal such a cookie and set it for the site in your browser, you can gain access to the user's account.

Report
B
Boris Korobkov, 2019-01-14
@BorisKorobkov

The session is stored on your server, and in cookies - its ID.
In your example, the following is theoretically possible: if an attacker is hosted on the same shared hosting from a shitty provider that does not virtualize or even share your data. But in this case, it is much easier for an attacker to steal all your sources along with the database. I hope that such hosters have already gone bankrupt.
If an attacker knows the session ID and at the same time he has the same IP (for example, when connecting to open WiFi), he will be able to get the same from your server as the original user. But this is a completely different problem. Google "Man in the middle"

Similar questions
A
Anton2021-03-27 12:39:53
Getting the selected radio item and passing it to the email body, how to display the selected item? 2Reply
M
Matvey Bubenets2017-04-20 04:38:37
How to disable Remote Desktop Licensing? 6Reply
B
Belavor2019-09-24 17:46:58
How to change time zone from server to user? 3Reply
D
Dagtor2015-05-15 14:02:52
What book, website or video course can you offer a beginner to learn SQL? 11Reply
A
Alex2019-10-09 12:42:39
How to create qr code in js? 1Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question