[SOLVED] security question need solving

[Danny620]

i have a log-in system where it stores a session named 'agent' which store HTTP_USER_AGENT and what i have done is made a file named gatekeeper and what that does is check that the session is set and that it matches the md5 HTTP_USER_AGENT session if none are true then it directs them to the log in page is this a good way to protect pages this is my gatekeeper file

<?php 
//lockdown and check for login
if (!isset($_SESSION['agent']) or ($_SESSION['agent']) !== md5($_SERVER['HTTP_USER_AGENT'])) {
require_once ($_SERVER['DOCUMENT_ROOT'].'/login_functions.inc.php');
$url = absolute_url();
header("Location: $url");
exit();	
} else { // everythings ok
}
?>

[Danny620]

and the pages i want protecting i put this on

require_once($_SERVER['DOCUMENT_ROOT'].'/access/gatekeeper.php');

[cunoodle2]

So whats your question then...

[Danny620]

my question is is this code hacker free and a good method of protecting pages

[Daniel0]

What is there to "hack" in your code snippet? DOCUMENT_ROOT comes directly from the web server. Or am I not getting things here?

[Danny620]

is it possable for someone to hack a fake session

[batfink1]

Well no code is "hacker free" but yeah as long as your site isn't holding really secure data then your method should be fine.

[Danny620]

thanks for that but if i where to pull the data based on the userid could any user once logged in change there userid in the session

[Daniel0]

No. Session data is stored on the server.

[WolfRage]

The user can not change any session information unless you allow them to. The session data is stored on the server. However if you are using a shared host any other webmaster on that server could see and modify this data. Thus you should create your own secure area for your sessions.

[Danny620]

thank you alot but 1 more question

 

i i where to have code on the pages i wanted to be protect only for login members would it be ok

 

if i used a if(!isset($_session['agent'])){

then return them to loggin page

} else { //is logged in

 

would that be secure enouth to protect my pages against not logged in members.

[Danny620]

is a webmaster the person incharge of the sever that i am hosting on?

[WolfRage]

For your code that depends on how you are validating if they are allowed to be an agent.

No webmaster is any other person that has hosting on the same shared server as you. For instance your friend Dan could be paying the same company for hosting and they may put you both on the same shared server. Now if he is smart he can access all of your session data that is stored in the same default location as his session data.

[Danny620]

so how would i go about protecting my sessions and whats SSL where that padlock is in the conner how do i implay that into my code

[Daniel0]

so how would i go about protecting my sessions

 

Store them in a non-publicly accessible directory or create a session handler that stores in a database instead.

 

and whats SSL where that padlock is in the conner how do i implay that into my code

 

http://en.wikipedia.org/wiki/Secure_Sockets_Layer

http://en.wikipedia.org/wiki/HTTPS

[Danny620]

thanks for all these comments they have help me alot  :) :)