Setting session for checking if a user is logged in

[sorenchr]

Hi there, quick question:

 

For determining if a user is logged in or not, when he/she is surfing on your site, what would be the best way to check this?

 

Currently i have two sessions which i check, 'username' and 'loggedin', 'username' is of course the username, and 'loggedin' can have a value of either 1 or 0. Is this fine enough for security? Or is this an open invitation to session highjacking?

 

The users passwords are sha1 encrypted before they are stored in the db. I'm thinking of using a 'password' session (instead of 'loggedin'), and then match up 'username' and 'password' with the db instead of just checking if 'loggedin' is 0 or 1. Would this be a more secure solution?

 

Thanks for your time.

[peranha]

What I do as an added security is to check their ip and add it to the session, and check their current ip against the session ip.

[sorenchr]

What I do as an added security is to check their ip and add it to the session, and check their current ip against the session ip.

 

Right, but which solution should i go with? The 'loggedin' or the 'password' ?

[sorenchr]

Anybody?

[webref.eu]

The purpose of a logged_in session variable is to remember the logged in status of the user, so this is what should be used to manage logged in status, here's some code of mine where I set it after a successful login:

 

//set logged_in session variable to 1 to indicate logged in status

  $_SESSION['logged_in'] = 1;

 

That is the whole point of the logged_in session variable. 

 

Username and Password should be used to authenticate the user and then used to set the logged_in session variable on successful login. 

 

Rgds

[sorenchr]

The purpose of a logged_in session variable is to remember the logged in status of the user, so this is what should be used to manage logged in status, here's some code of mine where I set it after a successful login:

 

//set logged_in session variable to 1 to indicate logged in status

   $_SESSION['logged_in'] = 1;

 

That is the whole point of the logged_in session variable. 

 

Username and Password should be used to authenticate the user and then used to set the logged_in session variable on successful login. 

 

Rgds

 

But wouldn't it be ridicously easy for someone to set a fake session of 'logged_in'='1', and then they would be able to browse around the secure sites freely?

[timmah1]

if(isset($_SESSION['SESS_LOGGEDIN']) == FALSE){
	header("Location: " . $config_basedir . "login.php?error=1");
}

[webref.eu]

But wouldn't it be ridicously easy for someone to set a fake session of 'logged_in'='1', and then they would be able to browse around the secure sites freely?

 

I am not an expert in this area but my view would be no, it's not easy to fake the session variable logged_in.  That's because it's your php code that determines whether the logged_in session variable is set.  You will only set it after a successful login, so as long as your login code is robust, your site should be secure. 

 

What I am trying to say here is that a hacker can't just say, hey, I think I'll set a session variable of logged_in and give it a value of 1.  The only thing that can decide to do this is your code that is running on the server during the login routine, so as long as you make your login routine safe, your site should be safe too. 

 

Rgds

[sorenchr]

Okay, guess it's pretty secure then, thx

[PFMaBiSmAd]

As long as register_globals are off, session variables can only be set by your code. What does a phpinfo() statement show for the register_globals setting?

[peranha]

Sorry, maybee I wasnt quite clear on my last post.

 

That is why I also check the ip in the database for the logged in user with the ip from the visiting user as well as the logged_in session variable.  On login store their ip and on each page, check it with the database.