russthebarber Posted September 14, 2012 Share Posted September 14, 2012 I have a site where users have a username, password and user_id (primary key auto generated). Every user has related products that are specific to that user. I'd like to know if anyone has any thoughts on if the following is a secure way to send info from page to page or if there is a better way: If a user is logged in, the user_id is stored in a var and is sent in a hidden form input from page to page (not alone very secure, I know). This var can then be used to see which products belong to that user, but only after a login check has been made in the backend to see if that user_id matches the logged in user. $postUserId = $_POST['$postUserId'];//passed from page to page if($session->is_logged_in()) { $serverUserId = $session->user_id;// user_id from database of user data if ($postUserId == $serverUserId ){ // all is OK }else{ // all is not OK } }else{ echo "not logged in"; } Anyone looking at the source code can only see the user_id and can't do anthing with it as the checks are made by the session data backend..... or have I missed something? Is this really secure? Quote Link to comment https://forums.phpfreaks.com/topic/268369-security-hidden-input-not-safe/ Share on other sites More sharing options...
spiderwell Posted September 14, 2012 Share Posted September 14, 2012 as you have stated, the server side check does give the security you need. You could store the userid into the session object and avoid it apearing in the form altogether Quote Link to comment https://forums.phpfreaks.com/topic/268369-security-hidden-input-not-safe/#findComment-1377856 Share on other sites More sharing options...
russthebarber Posted September 14, 2012 Author Share Posted September 14, 2012 Thanks. Quote Link to comment https://forums.phpfreaks.com/topic/268369-security-hidden-input-not-safe/#findComment-1377859 Share on other sites More sharing options...
spiderwell Posted September 14, 2012 Share Posted September 14, 2012 looking closer at the code it does look like it already does Quote Link to comment https://forums.phpfreaks.com/topic/268369-security-hidden-input-not-safe/#findComment-1377862 Share on other sites More sharing options...
Psycho Posted September 14, 2012 Share Posted September 14, 2012 Why do you feel you need to use a hidden form field at all? You already have the user ID stored in a session variable. Just check that the user is logged in and use the session value. I see nothing gained from using a hidden form field. It only adds unnecessary overhead, IMO. Quote Link to comment https://forums.phpfreaks.com/topic/268369-security-hidden-input-not-safe/#findComment-1377873 Share on other sites More sharing options...
scootstah Posted September 14, 2012 Share Posted September 14, 2012 Why do you feel you need to use a hidden form field at all? You already have the user ID stored in a session variable. Just check that the user is logged in and use the session value. I see nothing gained from using a hidden form field. It only adds unnecessary overhead, IMO. Yup, this doesn't make much sense. You already know if the user is who the user is. Quote Link to comment https://forums.phpfreaks.com/topic/268369-security-hidden-input-not-safe/#findComment-1377877 Share on other sites More sharing options...
shlumph Posted September 14, 2012 Share Posted September 14, 2012 Why do you feel you need to use a hidden form field at all? You already have the user ID stored in a session variable. Just check that the user is logged in and use the session value. I see nothing gained from using a hidden form field. It only adds unnecessary overhead, IMO. Agreed. Just store the User ID in $_SESSION. At first I thought you were persisting the User ID through forms only. That would be a big no-no. Quote Link to comment https://forums.phpfreaks.com/topic/268369-security-hidden-input-not-safe/#findComment-1377897 Share on other sites More sharing options...
russthebarber Posted September 14, 2012 Author Share Posted September 14, 2012 Yep, you're all right. I don't need the hidden field at all. Thanks. Quote Link to comment https://forums.phpfreaks.com/topic/268369-security-hidden-input-not-safe/#findComment-1377975 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.