Jump to content

using sessions safe?

joecooper

By joecooper
in PHP Coding Help

 Share

Recommended Posts

joecooper Advanced Member

joecooper

Posted
Posted

i use this code for admin logon on my site:

 

$_SESSION['admin']="1"

 

and then on the admin cpanel use:

 

IF($_SESSION['admin']="1"){

  //access to database changes etc...

}

 

but some have said that session varibles can be set client side so someone could hack it? is that possible?

Link to comment
Share on other sites
DarkWater Member

DarkWater

Posted
Posted

You should NEVER hold ANY credit card information on your own server, because when (not if) someone steals it, you can't handle the lawsuits.  I'd suggest passing it to a third party credit card handler.  Are you holding actual credit card numbers, names, and expiration dates...?

Link to comment
Share on other sites
PFMaBiSmAd Advanced Member

PFMaBiSmAd

Posted
Posted

If your server has register globals on and someone knows enough about your code or guesses the name of your $_SESSION['admin'] variable and you also have a variable $admin, then yes it is possible that they can set $_SESSION['admin'] to any value they want.

 

The solution is to make sure register globals are off (they were turned off by default in php4.2 in the year 2002 and have been completely eliminated in php6 due to this ability to tamper with session variables.)

Link to comment
Share on other sites
PFMaBiSmAd Advanced Member

PFMaBiSmAd

Posted
Posted

Just read the posts in this forum.

 

Here is someone with code they are probably trying to put on a new server that wants to know what php setting to turn on so that the parameter on the end of their url sets a program variable so that they don't need to go in and change their code to use $_GET... - http://www.phpfreaks.com/forums/index.php/topic,195646.0.html

 

Here is one were the php4 they moved from had register globals on - http://www.phpfreaks.com/forums/index.php/topic,195654.0.html

 

Here is one where a login id was being replaced in the session variable whenever someone clicked on a link to pick an id to "view" - http://www.phpfreaks.com/forums/index.php/topic,194262.0.html

Link to comment
Share on other sites
DarkWater Member

DarkWater

Posted
Posted

LOL I remember almost all of those posts.  Especially Blade's post. =/  Some of the questions on this forum are horrible, I'll admit it, but I really don't think too many people actually HAVE register_globals on because they probably don't know how to change it in php.ini (no offense).

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.