markyoung1984 Posted June 17, 2008 Share Posted June 17, 2008 I have been reading about various security measures I can use in PHP and am now completely paranoid that my site will be hacked. I have implemented these measures, especially to stop XSS and SQL injection, as well as other things. However, my main concern is now Session variables. My site requires a login for certain things. After a successful login, the username of the user is stored as a session variable. On a page that requires a login, the session is checked for the presence of a username using the isset() function. If a username is present, the user is allowed to access the page. This seems terribly insecure to me, can anyone suggest how I could enhance my security? Usernames and passwords are stored in a table. Passwords are stored encrypted. Quote Link to comment Share on other sites More sharing options...
conker87 Posted June 17, 2008 Share Posted June 17, 2008 Can we has some code? Lets have a look. Quote Link to comment Share on other sites More sharing options...
webbiedave Posted June 17, 2008 Share Posted June 17, 2008 PHP session id's are very difficult to guess (many times username/password combinations can be easier to guess!) and that helps immensely with session hijacking. Keeping the session id out of the url helps with session fixation. If the user is about to access sensitive information, you can have your code re-ask for his/her password. If you're on a shared server, don't store your sessions in the default directory. In fact, if you're really concerned about data security, you shouldn't use shared servers at all. Of course, you must implement SSL to achieve any level of security. Quote Link to comment Share on other sites More sharing options...
markyoung1984 Posted June 17, 2008 Author Share Posted June 17, 2008 My session management code is the following and this is present at the top of each page: //All pages need to include this file, regardless if they are for login or not session_start(); session_name(test); //check if user is logged on (session variable username stored) if (! isset($_SESSION['username'])) { $user = 0; //username not present, therefore not logged in $username = "guest"; } else { $user = 1; //username present, therefore have already logged in $username = $_SESSION['username']; } include_once("blank.html"); //Output the start of the standard HTML page //If the page requires a user to be logged in then check if(($loginRequired == true) && ($user == 0)) { //user must log in outputLogin(); //Get them to enter username and password outputEnd($user); //Output end of the page (JavaScript init etc) exit(); } The $loginRequired variable is defined as either true or false at the start of the script and determines if the page needs a login or not Quote Link to comment Share on other sites More sharing options...
conker87 Posted June 17, 2008 Share Posted June 17, 2008 It's generally considered not good practice to add your username to the session variables. Quote Link to comment Share on other sites More sharing options...
webbiedave Posted June 17, 2008 Share Posted June 17, 2008 It's generally considered not good practice to add your username to the session variables. This goes to the shared sessions directory mentioned above. Malicious users on the shared server could access the session files. It would be better to store the PK id. Quote Link to comment Share on other sites More sharing options...
markyoung1984 Posted June 17, 2008 Author Share Posted June 17, 2008 If I don't use the username, then how do I keep track of users currently "logged on"? What session variables would I set? Would I use the session ID? I do have a shared server, therefore its probably not a good idea to store usernames etc on it, thanks for the warning. What is the PK ID? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.