Session Security

[markvaughn2006]

Just curious as to how secure this is...

 

<?php session_start();

if(!$_SESSION['islogged'] ){

    header('Location:login_index.php');}?>

<?php

 

Is there an easy way a to prevent a fake session or cookie from being created and sent to the server??

 

Thanks, this board rocks!

[PFMaBiSmAd]

You need an exit; statement after your header() redirect to prevent the remainder of the "protected" code on the page from being executed when the page is requested. Without an exit; all a hacker needs to do is ignore the header() redirect and he can still use anything on the protected page the same as if he was logged in.

[markvaughn2006]

do you have to put the exit statement on every single php page? and where would it go, first thing on the page or after the session start?? Thanks!

[PFMaBiSmAd]

after your header() redirect

[eatfishy]

I am not a PHP expert, but I do know cookies are stored on client side, which is eaiser to hack. I thought session variables are stored on the server, so it'll be much more difficult to hack.

 

[markvaughn2006]

i hope thats true, i don't really know either though

[DavidAM]

Cookies are stored on the client machine.  Sessions use cookies.  BUT the only data stored in the session cookie is the ID of the session.  The session data is stored on the server.  So, PHP receives a session ID and looks up the data using this ID.  Yes, a client could modify their session cookie to send a phony session ID, but if that ID does not match a session ID on the server, the server will not find any data for the session.  So a session can be "spoofed" but the hacker would need a valid session ID to get anywhere.