Jump to content

security on my project?

Liquid Fire

By Liquid Fire
in PHP Coding Help

 Share

Recommended Posts

Liquid Fire Advanced Member

Liquid Fire

Posted
Posted

Right now the way I do a security check is when they first log in i check to see the the username/password matches, if so i store it in thier session.  Then on ever page i check the session variabel against the database.  I have been told that i just need to make sure the session variable name( like mine and just username, password) are set and don't need to waste the time querying the database.  Can a hacker create session variable fro my site in any way becuase if he can and create garbage in those to session variable but i don't check againt the database he gains access, i just think checking the database everytime is worth the amount of time the query needs( which is about 0.0002 secs).  is there any reason why i should not check againt the database everytime unless my site starts to run slow(but 0.0002 sec should not make that much of a difference.

Link to comment
Share on other sites
tom100 Newbie

tom100

Posted
Posted

While it is true that it would skip a step, for anything worth being super secure, I check it every time. There are a few reasons:

 

1.) Malicious code can modify variables. While I try to make sure that all input is validated, there's always that chance.

 

2.) If you store a session in a database and a user goes into a profile setting and changes their password, that password will be updated instantly, while the session user is still strolling around with the old password. This allows you for instant updating and helps prevent against hacked accounts.

 

3.) If you want to suspend a user, etc, you can do it instantly from the database.

 

There are a lot more reasons, but I feel that checking against the database every time is worth it.

Link to comment
Share on other sites
Cep Regular Member

Cep

Posted
Posted

Why would you use SESSION's for this, a cookie would be much better and with a cookie the user doesn't need to log in every time they close the browser window as the cookie would be used to authenticate them.

 

I would suggest you do not attach the password in plain text in a cookie if you do, I would suggest using a hash such as MD5 if you decided to go down this route.

 

As far as I know hackers cannot create sessions but if they obtained one that was active they could in theory gain access to someones account. An example would be someone posts a link to somewhere in your site they have visited which contained the session id and the hacker would then use that link to enter the site and alter the users, username and pass or whatever else.

 

Tom100 posted some very good reasons too (whilst I was typing ;D )

Link to comment
Share on other sites
printf Newbie

printf

Posted
Posted

I look at it like this, if going to use a database, then why use a session, if going to use a session then why use a database for anything more than validating the login. There is a big difference from you controlling the complete session, to doing a simple validation, then using the core PHP session handler. For simple one script routines, the core way is fine, but for bigger applications the rule of thumbs says, what you can control in your script, should be controlled completely in your script. This way you don't ever have to worry about your script running in any environment, no matter what the system (OS/Server) allows or the PHP.INI uses.

 

printf

Link to comment
Share on other sites
Liquid Fire Advanced Member

Liquid Fire

Posted
  • Author
Posted

To answer a few questions:

      1. Why would I use a session instead of cookies if i am using a database?

      A. This is a Web Portal into my Project Management System and to increase the unlikelyhood of someone getting access when they should not i want to require them to login every time after they close their browser.  I mean if I had it so there login is even good for a day is someone else uses their computer after he has login in and the closed his browser someone else could get access into the system with there account.  This kinda automatically logouts the user when they close their browser.

      2. to printf

      A. All i am using the database for in reference to the login script is to validate the user.  Basically there are 2 different login checks. the first one check the username and password and then stores information about the user in the session(like email address, admin level, etc... things that i will need often).  the second one just make sure the session variable are still valid in the database.

     

      Also the variable stored in the session for password in MD5 encrypted.  Thanks for the input and if anyone else want to add something please do.

Link to comment
Share on other sites
Jessica Advanced Member

Jessica

Posted
Posted

Why would you use SESSION's for this, a cookie would be much better and with a cookie the user doesn't need to log in every time they close the browser window as the cookie would be used to authenticate them.

 

I would suggest you do not attach the password in plain text in a cookie if you do, I would suggest using a hash such as MD5 if you decided to go down this route.

 

As far as I know hackers cannot create sessions but if they obtained one that was active they could in theory gain access to someones account. An example would be someone posts a link to somewhere in your site they have visited which contained the session id and the hacker would then use that link to enter the site and alter the users, username and pass or whatever else.

 

Tom100 posted some very good reasons too (whilst I was typing ;D )

 

A cookie can be edited by the user - as you yourself said "hackers" cannot create sessions - they can easily edit/delete/create cookies.

Link to comment
Share on other sites
Liquid Fire Advanced Member

Liquid Fire

Posted
  • Author
Posted

Why would you use SESSION's for this, a cookie would be much better and with a cookie the user doesn't need to log in every time they close the browser window as the cookie would be used to authenticate them.

 

I would suggest you do not attach the password in plain text in a cookie if you do, I would suggest using a hash such as MD5 if you decided to go down this route.

 

As far as I know hackers cannot create sessions but if they obtained one that was active they could in theory gain access to someones account. An example would be someone posts a link to somewhere in your site they have visited which contained the session id and the hacker would then use that link to enter the site and alter the users, username and pass or whatever else.

 

Tom100 posted some very good reasons too (whilst I was typing ;D )

 

A cookie can be edited by the user - as you yourself said "hackers" cannot create sessions - they can easily edit/delete/create cookies.

 

yah, that would be an good reason to use sessions

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.