using sessions safe?

[joecooper]

i use this code for admin logon on my site:

 

$_SESSION['admin']="1"

 

and then on the admin cpanel use:

 

IF($_SESSION['admin']="1"){

  //access to database changes etc...

}

 

but some have said that session varibles can be set client side so someone could hack it? is that possible?

[DarkWater]

I hate it when people believe ANYTHING that someone else says.  Really, I do.

[joecooper]

well is it possible? it could be but i dont know. i just want to know if im using a safe method for admin logon

[DarkWater]

Does your server contain credit card numbers, government coin codes, NASA blueprints, or other extremely sensitive data?  If you answered no to that question, then sessions are fine. =/

[joecooper]

some creditcard details although encrypted.

[revraz]

Anything is possible, but you should be asking if it's likely.  That answer would be no, it's not likely.

[DarkWater]

You should NEVER hold ANY credit card information on your own server, because when (not if) someone steals it, you can't handle the lawsuits.  I'd suggest passing it to a third party credit card handler.  Are you holding actual credit card numbers, names, and expiration dates...?

[PFMaBiSmAd]

If your server has register globals on and someone knows enough about your code or guesses the name of your $_SESSION['admin'] variable and you also have a variable $admin, then yes it is possible that they can set $_SESSION['admin'] to any value they want.

 

The solution is to make sure register globals are off (they were turned off by default in php4.2 in the year 2002 and have been completely eliminated in php6 due to this ability to tamper with session variables.)

[DarkWater]

I'm pretty sure no one in their right mind has register_globals on anymore. =P

[joecooper]

well it doesnt exactly, but has the ability to bill the cards. and its a maintenence script for a company i work for.

[PFMaBiSmAd]

Just read the posts in this forum.

 

Here is someone with code they are probably trying to put on a new server that wants to know what php setting to turn on so that the parameter on the end of their url sets a program variable so that they don't need to go in and change their code to use $_GET... - http://www.phpfreaks.com/forums/index.php/topic,195646.0.html

 

Here is one were the php4 they moved from had register globals on - http://www.phpfreaks.com/forums/index.php/topic,195654.0.html

 

Here is one where a login id was being replaced in the session variable whenever someone clicked on a link to pick an id to "view" - http://www.phpfreaks.com/forums/index.php/topic,194262.0.html

[DarkWater]

LOL I remember almost all of those posts.  Especially Blade's post. =/  Some of the questions on this forum are horrible, I'll admit it, but I really don't think too many people actually HAVE register_globals on because they probably don't know how to change it in php.ini (no offense).

[DeanWhitehouse]

yer, mine was annoying