Jump to content

How secure is $_SESSION?

php_guy

By php_guy
in PHP Coding Help

 Share

Recommended Posts

php_guy Member

php_guy

Posted
Posted

I have parts of my webpage protected with the following

session_start();
if(!isset($_SESSION['myusername'])){
	header("Location:login.php");
} else {
	$username = $_SESSION['myusername'];
}

How secure is this?

 

The goal is so people who don't have access to the page (don't have a login account) cannot get access

 

Thanks for any tips

 

Link to comment
https://forums.phpfreaks.com/topic/220756-how-secure-is-_session/
Share on other sites
php_guy Member

php_guy

Posted
  • Author
Posted

The posted code is not secure at all. You need an exit; statement after your header() redirect to prevent the remainder of the code on the 'protected' page from being executed.

As I understand, using a header() redirect acts as an implicit exit statement, doesn't it? If not, could I just put a die() statement?

cigardude Newbie

cigardude

Posted
Posted

The posted code is not secure at all. You need an exit; statement after your header() redirect to prevent the remainder of the code on the 'protected' page from being executed.

As I understand, using a header() redirect acts as an implicit exit statement, doesn't it? If not, could I just put a die() statement?

 

It does not and if I have redirection turned off in my browser I get to see the rest of the page. :)

 

session_start();
   if(!isset($_SESSION['myusername'])){
      header("Location:login.php");
      exit();
   } else {
      $username = $_SESSION['myusername'];
   }

php_guy Member

php_guy

Posted
  • Author
Posted

The only thing a header() statement does is send a HTTP header to the browser - http://us3.php.net/manual/en/function.header.php

Wow I never knew that!

 

I just did a little sample to test this...

header('Location: login.php');
$db->execute_statement("insert into test_table values('my value')");

And it inserted a value into the DB

 

So what should I put after header() to end it there? I can't do die() because it will just stop executing the code and not actually redirect...

 

I could just put the main body of my code into the else block. So:

session_start();
if(!isset($_SESSION['myusername'])){
	header("Location:login.php");
} else {
	$username = $_SESSION['myusername'];
	// Remainder of code goes here
}

Would that suffice?

 

tomfmason Advanced Member

tomfmason

Posted
Posted

The level of security also depends on your host's setup(assuming shared host). If the session files are stored in a publicly readable directory such as /tmp (the default) and a little work I could hijack those sessions.

 

As a general rule I would set the session_save_path

<?php
ini_set("session.save_path", "/path/to/your/sessions/");
session_start();
?>

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.