I am coding a website in PHP that contains the boolean $_SESSION['logged_in']
. This is set to true
when a username and password match are present in the database.
I am quite new to sessions and was just wondering if it could be possible for an unregistered (or, for that matter, registered) user to bypass the login process by setting this boolean to true
, as would be possible with a cookie.
I understand that the user would have to manipulate a server-side variable from the client-side, but my questions are how easy would this be, how would the user go about accomplishing such a task, are there any known exploits, and what are the best practices / preventative measures to avoid this sort of attack?
Let's start with the good news: The $_SESSION
array is by default completly invisible and inmanipulable by the client: It exists on the server, and on the server only, in an execution environment, that is not open to the client.
Now back to earth: It is quite easy, to get your PHP code "nearly right" and thus open a door between the client and the session as seen by the server. In addition to this, stealing a client session (including a cookie) is quite easy.
I recommend a few mitigations, that have been proven quite effective:
$loggedin=($_SESSION['cookie']==$_COOKIE['session'])
. This makes the attacker need both: cookie and session ID.