How secure are Sessions

[dptr1988]

I have a login system that uses sessions to store your userID. The userID is a public number, so I was wondering if a person could take somebody else's userID and set the session variable, and be able to login without a username and password. Let me make it plainer. Can anybody set a session variable from there web browser or only the PHP script on my server?

[micah1701]

only the php script on the server, or someone who has access to the folder on the server where sessions are stored.  Session are not stored in a place accessable over the web.

[dptr1988]

Thanks for the reply, but the [url=http://www.php.net/manual/en/ref.session.php]PHP manual[/url] seems to say otherwise.


To make my login system secure do I need to check the username and password for each page?

[birdie]

i usually do, use a mainfile or include instead of just inputting it..

You could also probably verify its info by checking its original IP (from a db or whatever) and with the IP its using right now. For example...

[code]
$object = mysql_fetch_object($query);
$dbip = $object->ip;
if($dbip == $_SERVER['remote_addr'])
{

}
else
{
exit("Not authorised..");
}
[/code]
maybe something like that?

[Chips]

Set a cookie when they login as well, with the userId being their md5 hashed sessions userid - and then check on every page that their cookie matches the sessions user id hashed?

[.josh]

http://phpsec.org/projects/guide/4.html

[dptr1988]

Thanks Crayon Violent! That is what I was intrested in.