Can Someone Fake A PHP Session Variable

No. Session data is stored on the server.

The session ID is the only thing transferred back and forward between the client and the server. Therefore, unless the server is hacked or has a server-side bug, the client cannot change the session data directly. In your case, the username in the session variable seems to be part of the session ID or it's replacement (this is a little unclear).

That does not mean that the system does not have to ensure that only the valid client knows the session ID, because that's what links the client to the specific session. That is why the session_regenerate_id() function must be used every time a login attempt is performed. This prevents session fixation.


The PHP sessionid issued after a successful login is generated on the server-side and only contain random data. The sessionid is sent as a cookie, and is included in every subsequent request from the client.

The session data is stored on the server, and the session id is used to reference this data for each request. The PHP sessionid is considered secure.

This has not always been the case. In previous versions of PHP, the session id was random, but the random generator was only seeded by the servers current time, remote address and process id. Once an attacker was able to figure out the state of the random generator, she could predict previous and future session id's. See http://seclists.org/fulldisclosure/2010/Mar/519

This made it possible for attackers to steal sessions for other users.

What have happened since then, is that PHP in addition to the old weak generation, it fetches 32 bytes from a good random source such as /dev/urandom on a linux system.