07-26-2023, 07:04 PM
I've heard of cross-site scripting and that people can access cookies and devious ways. So I was hoping that someone could answer a few questions around these. I want to take the example of storing something in session the purest way, but using a CMS like Drupal. Let's say we have this:
$data = $fancyWebService->getSuperSecureDataThatOnlyTheCurrentlyLoggedInUserCanSee();
$_SESSION['basic_variable'] = $data;
1. Should the user now travel from mysite.com, to devious-site.com, is there any way that someone can get the data from "basic_variable", just by knowing that the variable is called that?
2. Is there any way that the current user can see a print out of the $_SERVER variable and actually see all the contents stored in it?
3. I read somewhere that data in the session or in cookies should be "encrypted". In the above example, I'm fairly sure the data is being stored in the session, and that this session is secure. Is this the case, or is it only secure if HTTPS is enabled?
4. Drupal stores some info in cookies, if you choose to use cookies as apposed to "session", how does that affect the above?
**UPDATE**
With regards to question 2. I mean, if I type the following in a php file:
print '<pre>';
print_r($_SESSION);
die();
(or just vardump the session variable)...
I end up with all the info I have stored there, unencrypted. My question is, is there any way a user can somehow find a way to get access to the session variable (other than through me exposing it) that would make it a bad idea to leave values unencrypted?
$data = $fancyWebService->getSuperSecureDataThatOnlyTheCurrentlyLoggedInUserCanSee();
$_SESSION['basic_variable'] = $data;
1. Should the user now travel from mysite.com, to devious-site.com, is there any way that someone can get the data from "basic_variable", just by knowing that the variable is called that?
2. Is there any way that the current user can see a print out of the $_SERVER variable and actually see all the contents stored in it?
3. I read somewhere that data in the session or in cookies should be "encrypted". In the above example, I'm fairly sure the data is being stored in the session, and that this session is secure. Is this the case, or is it only secure if HTTPS is enabled?
4. Drupal stores some info in cookies, if you choose to use cookies as apposed to "session", how does that affect the above?
**UPDATE**
With regards to question 2. I mean, if I type the following in a php file:
print '<pre>';
print_r($_SESSION);
die();
(or just vardump the session variable)...
I end up with all the info I have stored there, unencrypted. My question is, is there any way a user can somehow find a way to get access to the session variable (other than through me exposing it) that would make it a bad idea to leave values unencrypted?