Since every user has a unique PHPSESSID, is it possible for two users, say a to inject info into b's SESSION data using standard PHP running on the server.

Note, I am not using this for any wrong purposes. Trying to use it for chatting without DB access.

Thank you for your time.

Accepted Answer

I'm assuming you want to somehow have A chat to B by sending a message which gets placed into B's session.

First of all, A needs to learn B's session ID, perhaps by selecting their name from a list. You'll almost certainly want to encrypt these session ids, otherwise you have created a nice security hole!

So, A posts data to the server containing the target session id, and a message. Here's how we could temporary switch session ids to write that data into the target session:

//get data from form - I'll leave the encryption of the target
//session id up to you!
$target_session_id=decryptSessionId($_POST['target']);
$message=strip_tags($_POST['message']);

//remember our "real" session id and close the session
$original_session_id=session_id();
session_write_close();

//open the target session
session_id($target_session_id);
session_start();

//add message to target session
$_SESSION['chat'][]=$message;

//close target session
session_write_close();


//reopen the "real" session
session_id($original_session_id);
session_start();
Written by Paul Dixon
This page was build to provide you fast access to the question and the direct accepted answer.
The content is written by members of the stackoverflow.com community.
It is licensed under cc-wiki