dptr1988 Posted July 5, 2006 Share Posted July 5, 2006 I have a login system that uses sessions to store your userID. The userID is a public number, so I was wondering if a person could take somebody else's userID and set the session variable, and be able to login without a username and password. Let me make it plainer. Can anybody set a session variable from there web browser or only the PHP script on my server? Quote Link to comment https://forums.phpfreaks.com/topic/13741-how-secure-are-sessions/ Share on other sites More sharing options...
micah1701 Posted July 5, 2006 Share Posted July 5, 2006 only the php script on the server, or someone who has access to the folder on the server where sessions are stored. Session are not stored in a place accessable over the web. Quote Link to comment https://forums.phpfreaks.com/topic/13741-how-secure-are-sessions/#findComment-53376 Share on other sites More sharing options...
dptr1988 Posted July 5, 2006 Author Share Posted July 5, 2006 Thanks for the reply, but the [url=http://www.php.net/manual/en/ref.session.php]PHP manual[/url] seems to say otherwise. To make my login system secure do I need to check the username and password for each page? Quote Link to comment https://forums.phpfreaks.com/topic/13741-how-secure-are-sessions/#findComment-53386 Share on other sites More sharing options...
birdie Posted July 5, 2006 Share Posted July 5, 2006 i usually do, use a mainfile or include instead of just inputting it..You could also probably verify its info by checking its original IP (from a db or whatever) and with the IP its using right now. For example...[code]$object = mysql_fetch_object($query);$dbip = $object->ip;if($dbip == $_SERVER['remote_addr']){}else{exit("Not authorised..");}[/code]maybe something like that? Quote Link to comment https://forums.phpfreaks.com/topic/13741-how-secure-are-sessions/#findComment-53395 Share on other sites More sharing options...
Chips Posted July 5, 2006 Share Posted July 5, 2006 Set a cookie when they login as well, with the userId being their md5 hashed sessions userid - and then check on every page that their cookie matches the sessions user id hashed? Quote Link to comment https://forums.phpfreaks.com/topic/13741-how-secure-are-sessions/#findComment-53398 Share on other sites More sharing options...
.josh Posted July 5, 2006 Share Posted July 5, 2006 http://phpsec.org/projects/guide/4.html Quote Link to comment https://forums.phpfreaks.com/topic/13741-how-secure-are-sessions/#findComment-53454 Share on other sites More sharing options...
dptr1988 Posted July 5, 2006 Author Share Posted July 5, 2006 Thanks Crayon Violent! That is what I was intrested in. Quote Link to comment https://forums.phpfreaks.com/topic/13741-how-secure-are-sessions/#findComment-53464 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.