Jump to content

Archived

This topic is now archived and is closed to further replies.

dptr1988

How secure are Sessions

Recommended Posts

I have a login system that uses sessions to store your userID. The userID is a public number, so I was wondering if a person could take somebody else's userID and set the session variable, and be able to login without a username and password. Let me make it plainer. Can anybody set a session variable from there web browser or only the PHP script on my server?

Share this post


Link to post
Share on other sites
only the php script on the server, or someone who has access to the folder on the server where sessions are stored.  Session are not stored in a place accessable over the web.

Share this post


Link to post
Share on other sites
Thanks for the reply, but the [url=http://www.php.net/manual/en/ref.session.php]PHP manual[/url] seems to say otherwise.


To make my login system secure do I need to check the username and password for each page?

Share this post


Link to post
Share on other sites
i usually do, use a mainfile or include instead of just inputting it..

You could also probably verify its info by checking its original IP (from a db or whatever) and with the IP its using right now. For example...

[code]
$object = mysql_fetch_object($query);
$dbip = $object->ip;
if($dbip == $_SERVER['remote_addr'])
{

}
else
{
exit("Not authorised..");
}
[/code]
maybe something like that?

Share this post


Link to post
Share on other sites
Set a cookie when they login as well, with the userId being their md5 hashed sessions userid - and then check on every page that their cookie matches the sessions user id hashed?

Share this post


Link to post
Share on other sites

×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.