meltingpoint Posted August 16, 2009 Share Posted August 16, 2009 I have a flat file database and have a login script that also stores all the users/passwords in flatfile. Once the user has been verified- I load the username, their access level (allows them to view certain pages) and their user group into $_session variables. This all works well- no problems. Passwords are md5 into the database upon registration. My question is security. My site is on a shared hosting server. I feel fairly confident that my script won't get hacked (I have the necessary checks for user input etc...) but I worry about the session being hijacked or worse. So..........what do you all say? Should I capture the IP address and then catch it on each successive page and compare it to the original login IP address? What steps would you take to shore up some security on a shared hosting environment with out the expense of an SSL? Quote Link to comment https://forums.phpfreaks.com/topic/170481-session-security/ Share on other sites More sharing options...
asmith Posted August 16, 2009 Share Posted August 16, 2009 http://www.phpfreaks.com/tutorial/php-security Quote Link to comment https://forums.phpfreaks.com/topic/170481-session-security/#findComment-899285 Share on other sites More sharing options...
meltingpoint Posted August 16, 2009 Author Share Posted August 16, 2009 Thanks asmith- will study that page and make appropriate application. I am a little confused when referring to storing sensitive files outside the document root or public html folder. Does that mean that you create a directory inside the document root and store sensitive documents/pages there or place them in a directory behind the document root. For instance; in the example give in the tutorial- would I store sensitive data in the directory "library" or "modules" or "applications"? Quote Link to comment https://forums.phpfreaks.com/topic/170481-session-security/#findComment-899297 Share on other sites More sharing options...
asmith Posted August 16, 2009 Share Posted August 16, 2009 No. To say it simple, When accessing a site url like: example.com The actually directory we are visiting it normally something like this: /www/index.php or /pubilc_html/index.php The www/ or public_html/ is called document root. If a file is stored outside of it, The location would look something like this: /file.ext or /folder/file.ext nobody can access the outside of your document root. In other words, A folder before the example.com would be ../example.com which no one can access. Quote Link to comment https://forums.phpfreaks.com/topic/170481-session-security/#findComment-899301 Share on other sites More sharing options...
oni-kun Posted August 16, 2009 Share Posted August 16, 2009 Shared hosting usually does not allow access to anything outside the document root, especially cheaper hosts. Just make sure you bloody use .htaccess to disallow public access to your flatfile db. Your idea of recording the IP and using it as a session variable is an intelligent idea, it's funny nearly no site in existence does this, on gmail, hotmail, if you revert your IP mid-browsing you can still be in.. I'd look into securing that. Quote Link to comment https://forums.phpfreaks.com/topic/170481-session-security/#findComment-899303 Share on other sites More sharing options...
meltingpoint Posted August 16, 2009 Author Share Posted August 16, 2009 Thanks all- great info. Cheers and enjoy the weekend. Quote Link to comment https://forums.phpfreaks.com/topic/170481-session-security/#findComment-899389 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.