Karlos2394 Posted August 13, 2009 Share Posted August 13, 2009 Basically, I give each user a different session_id() when they login, and regenerates every 15 mins. However, I was wondering if I could use session_id() as a security measure. I'm not entirely sure if this is a good way to use it, or if i'm using some bits which aren't needed at all. // Function whichs uses session_id() function Delete() { global $db, $ir; // $db = Database class || $ir = query for getting users info. if (isset($_GET['Id'], $_GET['Auth'])) { if ($_GET['Id'] && $_GET['Auth'] == session_id() && session_id() == $ir['sId']) { $db->query("DELETE FROM `events` WHERE `evID`=".$_GET['Id']." AND `evUSER`=".$ir['userid']); $_SESSION['dResult'] = 'Event Deleted'; } else { Error('An error occured while deleting the selected event.'); } } else { Error('An error occured.'); } } // Link to function. echo '<a href="events.php?act=Delete&Id=',$r['evID'],'&Auth=',session_id(),'">Delete</a><br />'; Quote Link to comment Share on other sites More sharing options...
Karlos2394 Posted August 14, 2009 Author Share Posted August 14, 2009 Can anyone actually help? Quote Link to comment Share on other sites More sharing options...
JonnoTheDev Posted August 14, 2009 Share Posted August 14, 2009 However, I was wondering if I could use session_id() as a security measure In what way? Your code below just deletes a database record unless i'm missing something. One thing I noticed is that you are comparing the session id against a URL paramater. Passing this value through the url is a bad idea. $_GET['Auth'] == session_id() Quote Link to comment Share on other sites More sharing options...
aschk Posted August 14, 2009 Share Posted August 14, 2009 session_id() merely represents the cookie value for the PHP session identifier. As neil said, "in what way?" would you envisage using session_id() as a security measure? It is already partly a security measure in that the session will correlate to whatever identifier comes from the session_id()... Quote Link to comment Share on other sites More sharing options...
Daniel0 Posted August 14, 2009 Share Posted August 14, 2009 However, I was wondering if I could use session_id() as a security measure In what way? Against CSRF it would appear. Quote Link to comment Share on other sites More sharing options...
Karlos2394 Posted August 14, 2009 Author Share Posted August 14, 2009 To be honest I haven't been in web development a long time, so I'm not sure, I was wondering if I was correctly using it, which would be an effective way to use the function. Obviously i'm not, could someone please show me a piece or snippet of code which I can understand how it's effective and secure by using session_id() please? Karlos. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.