Welcome Guest, Not a member yet? Register   Sign In
Can hacker hack session_data?
#1

[eluser]Unknown[/eluser]
Hello, i just want to clear session storages because i don't understand it thoroughly, so if someone can explain it to me, im very thankful. i want to know if a malicious user can change the data inside a session file. i have the sess_use_database and sess_encrypt_cookie set to TRUE.

for example scenario, i have an upload controller which checks the session data of the uploading user. the uploaded file will go to the user_id from the session storage. if a malicious user can change the session data's user_id to different user, then the uploaded file will go to different user. is this possible?

what can i do to protect my application from this activity?
#2

[eluser]WanWizard[/eluser]
If your session data is in the database, if a hacker can access that they can access all data, so I shouldn't worry about sessions in particular.

Use proper validation, XSS filtering and CI's DB layer to protect yourself against SQL injection attacks, which are the best way to get into your database.
#3

[eluser]Unknown[/eluser]
[quote author="WanWizard" date="1340780038"]If your session data is in the database, if a hacker can access that they can access all data, so I shouldn't worry about sessions in particular.

Use proper validation, XSS filtering and CI's DB layer to protect yourself against SQL injection attacks, which are the best way to get into your database.[/quote]

so i am entirely secure from malicious users that modify sessions if my session data is in the database?

i have read from many articles that codeigniter's xss filtering is not secure. is there other xss filtering libraries that i can put into my application?
#4

[eluser]WanWizard[/eluser]
Did I say that? Imho there is no such thing as "entirely secure".

Even machines not connected to a network can not be considered secure, unless you also make physical access impossible. If not, someone could remove the disk or steal the entire server, and have access to your data.

I can't comment on the quality of CI's XSS, and what articles you refer too.

Know that security is not a product, it's a process, and should be embedded into everything you do. As a guideline you can use the OWASPXSS prevention guidelines.




Theme © iAndrew 2016 - Forum software by © MyBB