Jump to content


Photo

How secure are Sessions


  • Please log in to reply
6 replies to this topic

#1 dptr1988

dptr1988
  • Members
  • PipPipPip
  • Advanced Member
  • 372 posts

Posted 05 July 2006 - 03:13 PM

I have a login system that uses sessions to store your userID. The userID is a public number, so I was wondering if a person could take somebody else's userID and set the session variable, and be able to login without a username and password. Let me make it plainer. Can anybody set a session variable from there web browser or only the PHP script on my server?
Need more help with your project? One of the thousands of programmers, web designers or artists at <a href="http://www.rentacode...d_6764522">Rent A Coder</a> would be happy to help.

Disclaimer: Free advice is usually worth what you paid for it. ( or at least when it's coming from me! )

#2 micah1701

micah1701
  • Members
  • PipPipPip
  • Advanced Member
  • 613 posts
  • LocationEllington, CT USA

Posted 05 July 2006 - 03:22 PM

only the php script on the server, or someone who has access to the folder on the server where sessions are stored.  Session are not stored in a place accessable over the web.
"Confidence in the face of risk."

#3 dptr1988

dptr1988
  • Members
  • PipPipPip
  • Advanced Member
  • 372 posts

Posted 05 July 2006 - 03:38 PM

Thanks for the reply, but the PHP manual seems to say otherwise.


To make my login system secure do I need to check the username and password for each page?
Need more help with your project? One of the thousands of programmers, web designers or artists at <a href="http://www.rentacode...d_6764522">Rent A Coder</a> would be happy to help.

Disclaimer: Free advice is usually worth what you paid for it. ( or at least when it's coming from me! )

#4 birdie

birdie
  • Members
  • PipPipPip
  • Advanced Member
  • 65 posts
  • LocationBirmingham UK

Posted 05 July 2006 - 03:57 PM

i usually do, use a mainfile or include instead of just inputting it..

You could also probably verify its info by checking its original IP (from a db or whatever) and with the IP its using right now. For example...

$object = mysql_fetch_object($query);
$dbip = $object->ip;
if($dbip == $_SERVER['remote_addr'])
{

}
else
{
exit("Not authorised..");
}
maybe something like that?

#5 Chips

Chips
  • Members
  • PipPipPip
  • Advanced Member
  • 68 posts

Posted 05 July 2006 - 04:03 PM

Set a cookie when they login as well, with the userId being their md5 hashed sessions userid - and then check on every page that their cookie matches the sessions user id hashed?

#6 .josh

.josh
  • Staff Alumni
  • .josh
  • 14,871 posts

Posted 05 July 2006 - 05:45 PM

http://phpsec.org/pr...ts/guide/4.html
Did I help you? Feeling generous? Buy me lunch! 
Please, take the time and do some research and find out how much it would have cost you to get your help from a decent paid-for source. A "roll-of-the-dice" freelancer will charge you $5-$15/hr. A decent entry level freelancer will charge you around $15-30/hr. A professional will charge you anywhere from $50-$100/hr. An agency will charge anywhere from $100-$250/hr. Think about all this when soliciting for help here. Think about how much money you are making from the work you are asking for help on. No, we do not expect you to pay for the help given here, but donating a few bucks is a fraction of the cost of what you would have paid, shows your appreciation, helps motivate people to keep offering help without the pricetag, and helps make this a higher quality free-help community :)

#7 dptr1988

dptr1988
  • Members
  • PipPipPip
  • Advanced Member
  • 372 posts

Posted 05 July 2006 - 05:59 PM

Thanks Crayon Violent! That is what I was intrested in.
Need more help with your project? One of the thousands of programmers, web designers or artists at <a href="http://www.rentacode...d_6764522">Rent A Coder</a> would be happy to help.

Disclaimer: Free advice is usually worth what you paid for it. ( or at least when it's coming from me! )




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users