How secure is $_SESSION?

php_guy · December 5, 2010

I have parts of my webpage protected with the following

session_start();
if(!isset($_SESSION['myusername'])){
	header("Location:login.php");
} else {
	$username = $_SESSION['myusername'];
}

How secure is this?

The goal is so people who don't have access to the page (don't have a login account) cannot get access

Thanks for any tips

gergy008 · December 5, 2010

Very.

PFMaBiSmAd · December 5, 2010

The posted code is not secure at all. You need an exit; statement after your header() redirect to prevent the remainder of the code on the 'protected' page from being executed.

php_guy · December 6, 2010

The posted code is not secure at all. You need an exit; statement after your header() redirect to prevent the remainder of the code on the 'protected' page from being executed.

As I understand, using a header() redirect acts as an implicit exit statement, doesn't it? If not, could I just put a die() statement?

cigardude · December 6, 2010

The posted code is not secure at all. You need an exit; statement after your header() redirect to prevent the remainder of the code on the 'protected' page from being executed.

As I understand, using a header() redirect acts as an implicit exit statement, doesn't it? If not, could I just put a die() statement?

It does not and if I have redirection turned off in my browser I get to see the rest of the page.

session_start();
   if(!isset($_SESSION['myusername'])){
      header("Location:login.php");
      exit();
   } else {
      $username = $_SESSION['myusername'];
   }

PFMaBiSmAd · December 6, 2010

The only thing a header() statement does is send a HTTP header to the browser - http://us3.php.net/manual/en/function.header.php

php_guy · December 6, 2010

The only thing a header() statement does is send a HTTP header to the browser - http://us3.php.net/manual/en/function.header.php

Wow I never knew that!

I just did a little sample to test this...

header('Location: login.php');
$db->execute_statement("insert into test_table values('my value')");

And it inserted a value into the DB

So what should I put after header() to end it there? I can't do die() because it will just stop executing the code and not actually redirect...

I could just put the main body of my code into the else block. So:

session_start();
if(!isset($_SESSION['myusername'])){
	header("Location:login.php");
} else {
	$username = $_SESSION['myusername'];
	// Remainder of code goes here
}

Would that suffice?

BlueSkyIS · December 6, 2010

The posted code is not secure at all. You need an exit; statement after your header() redirect to prevent the remainder of the code on the 'protected' page from being executed.

php_guy · December 8, 2010

Hi, sorry I missed that about the exit; statement.

I added that in.

How is my code deemed reasonably secure when using $_SESSION??

tomfmason · December 8, 2010

The level of security also depends on your host's setup(assuming shared host). If the session files are stored in a publicly readable directory such as /tmp (the default) and a little work I could hijack those sessions.

As a general rule I would set the session_save_path

<?php
ini_set("session.save_path", "/path/to/your/sessions/");
session_start();
?>

Sign In

How secure is $_SESSION?

Recommended Posts

php_guy

Link to comment

Share on other sites

gergy008

Link to comment

Share on other sites

PFMaBiSmAd

Link to comment

Share on other sites

php_guy

Link to comment

Share on other sites

cigardude

Link to comment

Share on other sites

PFMaBiSmAd

Link to comment

Share on other sites

php_guy

Link to comment

Share on other sites

BlueSkyIS

Link to comment

Share on other sites

php_guy

Link to comment

Share on other sites

tomfmason

Link to comment

Share on other sites

Archived

Browse

Activity

Important Information