Security with Session

[mme]

Hi,

 

I have just started learning about sessions to use with a login system with SQL

 

Now I was wondering if my method is secure?

 

When login in before setting the $_SESSION variables I use the session_regenerate_id() function.

 

All passwords and ids are stored as SHA-256 hashes in the MySql DB. I use the

mysql_escape_string() and htmlspecialchars() functions to sanitize the input values of all DB query's and SESSION variables.

 

Also the login page can only have 3 wrong attempts before the user is locked out. with a captcha after the first attempt.

 

Once the user logs in on each 'protected' page it checks the variables in the $_SESSION variable against the DB value on each page if they do not match then it brings the user to login page.

 

Also on start of each page:

if (isset($_REQUEST['_SESSION'])) {die('No Hacking');}

 

Just wondering am I missing something?

 

Thanks,

 

mme

 

 

 

 

[rwwd]

Well if your trying to access sesssion data, don't use the $_REQUEST global, access them directly with $_SESSION['a_name_here'] so your example would be best done like this:-

 

if (isset($_SESSION['yourSessionVar]) && !empty($_SESSION['yourSessionVar])){
    echo "session exists, here is your secret page";
}
else{
   echo "No hacking";
   header(back to login page url here);
   exit;
}

 

Something along that line would be a better way of validating a session... Everything else sounds fine though ;p

 

Rw

[mme]

Thanks for your feedback,

 

I was only using $_REQUEST for that one line of code the rest of the code was like you suggested. Now I have also added a session timeout using the DB so when no activity is made for x amount of minutes the session is 'deactivcated' and the user is redirected back to the login page.

 

Any other suggestions?