Securing session variables in PHP

[markyoung1984]

I have been reading about various security measures I can use in PHP and am now completely paranoid that my site will be hacked.  I have implemented these measures, especially to stop XSS and SQL injection, as well as other things.  However, my main concern is now Session variables.

 

My site requires a login for certain things.  After a successful login, the username of the user is stored as a session variable.  On a page that requires a login, the session is checked for the presence of a username using the isset() function.  If a username is present, the user is allowed to access the page.  This seems terribly insecure to me, can anyone suggest how I could enhance my security?  Usernames and passwords are stored in a table.  Passwords are stored encrypted.

[conker87]

Can we has some code? Lets have a look.

[webbiedave]

PHP session id's are very difficult to guess (many times username/password combinations can be easier to guess!) and that helps immensely with session hijacking. Keeping the session id out of the url helps with session fixation. If the user is about to access sensitive information, you can have your code re-ask for his/her password.

 

If you're on a shared server, don't store your sessions in the default directory. In fact, if you're really concerned about data security, you shouldn't use shared servers at all.

 

Of course, you must implement SSL to achieve any level of security.

[markyoung1984]

My session management code is the following and this is present at the top of each page:

 

	//All pages need to include this file, regardless if they are for login or not
session_start();
session_name(test);

//check if user is logged on (session variable username stored)
if (! isset($_SESSION['username'])) {
	$user = 0;  //username not present, therefore not logged in
	$username = "guest";
}
else
{
	$user = 1;  //username present, therefore have already logged in
	$username = $_SESSION['username'];
}

include_once("blank.html");	//Output the start of the standard HTML page

//If the page requires a user to be logged in then check
if(($loginRequired == true) && ($user == 0))
{
	//user must log in
	outputLogin();  //Get them to enter username and password
	outputEnd($user);  //Output end of the page (JavaScript init etc)
	exit();
}

 

The $loginRequired variable is defined as either true or false at the start of the script and determines if the page needs a login or not

[conker87]

It's generally considered not good practice to add your username to the session variables.

[webbiedave]

It's generally considered not good practice to add your username to the session variables.

This goes to the shared sessions directory mentioned above. Malicious users on the shared server could access the session files. It would be better to store the PK id.

[markyoung1984]

If I don't use the username, then how do I keep track of users currently "logged on"?  What session variables would I set?  Would I use the session ID?  I do have a shared server, therefore its probably not a good idea to store usernames etc on it, thanks for the warning.  What is the PK ID?