Session Management / Exposed Session Variables

Web and API


Exposed Session Variables, classified as a Session Management vulnerability in the CWE directory and OWASP Testing Guide, occurs when application or web server environment variables are accessible to users or attackers, potentially exposing sensitive information. This can create a risk of session hijacking and other malicious activities.


The risk associated with Exposed Session Variables is high as user sessions can be hijacked and sensitive information can be leaked.


The best solution to Exposed Session Variables is to restrict access to environment variables and limit access to only those necessary for the application to function. Additionally, applications should have a secure authentication system to verify user identities.


Below is an example taken from CVE-2020-9277 where a session variable was exposed:

if (isset($_SESSION['users_id'])) {
  $users_id = $_SESSION['users_id'];
  $query = "SELECT * FROM users WHERE users_id = '$users_id'";
  $result = mysqli_query($con, $query);
  while ($row = mysqli_fetch_array($result)) {
    // other code

Curious? Convinced? Interested?

Arrange a no-obligation consultation with one of our product experts today.