Karlos2394 Posted August 13, 2009 Share Posted August 13, 2009 Basically, I give each user a different session_id() when they login, and regenerates every 15 mins. However, I was wondering if I could use session_id() as a security measure. I'm not entirely sure if this is a good way to use it, or if i'm using some bits which aren't needed at all. // Function whichs uses session_id() function Delete() { global $db, $ir; // $db = Database class || $ir = query for getting users info. if (isset($_GET['Id'], $_GET['Auth'])) { if ($_GET['Id'] && $_GET['Auth'] == session_id() && session_id() == $ir['sId']) { $db->query("DELETE FROM `events` WHERE `evID`=".$_GET['Id']." AND `evUSER`=".$ir['userid']); $_SESSION['dResult'] = 'Event Deleted'; } else { Error('An error occured while deleting the selected event.'); } } else { Error('An error occured.'); } } // Link to function. echo '<a href="events.php?act=Delete&Id=',$r['evID'],'&Auth=',session_id(),'">Delete</a><br />'; Link to comment https://forums.phpfreaks.com/topic/170116-session_id-question/ Share on other sites More sharing options...
Karlos2394 Posted August 14, 2009 Author Share Posted August 14, 2009 Can anyone actually help? Link to comment https://forums.phpfreaks.com/topic/170116-session_id-question/#findComment-897960 Share on other sites More sharing options...
JonnoTheDev Posted August 14, 2009 Share Posted August 14, 2009 However, I was wondering if I could use session_id() as a security measure In what way? Your code below just deletes a database record unless i'm missing something. One thing I noticed is that you are comparing the session id against a URL paramater. Passing this value through the url is a bad idea. $_GET['Auth'] == session_id() Link to comment https://forums.phpfreaks.com/topic/170116-session_id-question/#findComment-898022 Share on other sites More sharing options...
aschk Posted August 14, 2009 Share Posted August 14, 2009 session_id() merely represents the cookie value for the PHP session identifier. As neil said, "in what way?" would you envisage using session_id() as a security measure? It is already partly a security measure in that the session will correlate to whatever identifier comes from the session_id()... Link to comment https://forums.phpfreaks.com/topic/170116-session_id-question/#findComment-898025 Share on other sites More sharing options...
Daniel0 Posted August 14, 2009 Share Posted August 14, 2009 However, I was wondering if I could use session_id() as a security measure In what way? Against CSRF it would appear. Link to comment https://forums.phpfreaks.com/topic/170116-session_id-question/#findComment-898031 Share on other sites More sharing options...
Karlos2394 Posted August 14, 2009 Author Share Posted August 14, 2009 To be honest I haven't been in web development a long time, so I'm not sure, I was wondering if I was correctly using it, which would be an effective way to use the function. Obviously i'm not, could someone please show me a piece or snippet of code which I can understand how it's effective and secure by using session_id() please? Karlos. Link to comment https://forums.phpfreaks.com/topic/170116-session_id-question/#findComment-898328 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.