[SOLVED] How Secure Is $_SESSION['id']

[gazalec]

Hi guys on a website i am creating i am basing alot of things around a session id, for example when a customer logs in they are assigned a session id, and on the pages of the website they have many if statements, for example

 

if($_SESSION['cust'] != ''){

echo "Previous orders<br>Current Orders<br>Logout<br>";

}else{

echo "Login";

}

 

But i was wondering if it is possible to somehow obtain this session id without actually logging in ???

 

Thanks In Advance

[taith]

yes... sessions are quite secure... first time they load, the server assigns a random based 30-40 character long "key"... so if a hacker tries to replicate that... they have about 1/1000000000 chance of finding 1 other one thats active...

however... if registering globals is on...

$_SESSION[test]='hello';
$test='world';
echo $_SESSION[test];

would output world...

 

personally... i put all my user data into an array within sessions...

so... say...

$_SESSION[user][id];

then... you can...

if(is_array($_SESSION[user][id])){}

 

which is MUCH more secure

[gazalec]

Thanks for the reply i was just wondering if you can look over the full thing just to see if it as scure as i can make it

 

i have a login page which basically takes both their entered username and password searches the database using the username take the password of that username and checks it with the entered password, and if either the password, username are empty the login fails, or if the username doesn't exist or the password doesn't match it also fails, however if a username and password exist and match then they are assigned to a $_SESSION variable ($_SESSION['cust'], $_SESSION['pass']) respectively, then on each page for instance previous orders when the customer opens this page all previous orders are stored on a database with the username as a primary key so php select all records which have the username $_Session['cust'];

 

I was just wondering if this is a secure way to do it or is their a better way, i am going to convert them to all arrays, i was also wondering is it safe that the password is part of a session as this gets transmitted between pages, could someone somehow intercept this and use it? all passwords are encrypted with md5

 

Thanks alot for all the help

 

[taith]

um... ya... it is secure... just when you login... just $_SESSION[user]=$row;... which would set their information from the database into that array all at once...

 

as i said before... if someone tried to hack into a session... they have at least 1/1000000000 chance of finding the right one... and if you put your own user/password in... i personally have no issue with them knowing what their password is...  if you want to remove it from sessions... just unset($_SESSION[user][password]);...

 

if your using straight md5()/sha1() to encrypt your passwords... you prolly do want to remove em from the sessions... if you built your own encrypter... as long as you alone have the source for it, and are confident in it... that choice is up to you... its not needed in sessions...

[gazalec]

i suppose i dont need them as sessions because when searching the database on the page e.g. Previous orders it only uses the username session, well thanks alot for all the help it has certainly put my mind at rest

 

Thanks

[taith]

no prob :-)