Sessions and Cookies Security
So the sessions are getting stored server-side, which means the client can't edit them. On the client side the cookie gets stored and save an id to find the right session.
Now my question is. Can a random user edit his own cookie, and then enter Eg. an admin's session?
In most scenarios, the data in the session is itself secure against user tampering as it is only manipulated on the server (this assumes the server itself is secure). So there is no reason to treat the data stored in session as "dirty" as far as needing to cleanse/validate it.
The session itself is not inherently secure whether it is being propagated via cookies or via URL parameter. It can be impersonated via a session hijacking attack. There are a number of common techniques to prevent against this, including:
- using only secure cookies transmitted over SSL
- using sufficiently long session ID's (most default implementation uses in modern langugaes do this by default). This makes it harder to "guess" at a valid session id value and minimize collision of session ID's.
- regenerating session ID's after application login
- checking against secondary data (IP address, browser user agent, etc.) to see if there are changes during a session which may indicate a hijacking attempt. Probably best to use a combination of factors here (like a change in both IP address and user agent since with mobile devices IP addresses can and do change).
- active session id rotation (i.e rotate session id on each page load)
Yes, a malicious user could modify their session id (in their local cookie) and impersonate another user to hijack their session. This is unsurprisingly called Session Hijacking.
But it is extremely unlikely an attacker could guess the correct session id. They would need to employ techniques to steal the session id from their victim.
An example of the default PHP session id cookie:
Some general rules:
- You no longer have control on any piece of data that leaves your server.
- You can edit any piece of data that enters your computer as long as your user has permission to access the resource.
- You can often read any piece of data that travels through your local network. If it isn't encrypted, you can even make sense of it.
As a result:
- Cookies must be considered user input.
- Users can always edit their own cookies.
- A hacker can easily steal your cookies in an open wifi network if site doesn't use HTTPS.
There're two main dangers regarding cookies:
- Unaware developers that store admin=1 and actually use the value to validate as admin
- Session fixation (stolen cookies)