DrTerp Posted April 3, 2006 Share Posted April 3, 2006 I have a PHP/LDAP authentication system that sets SESSION variables to indicate that a particular user has authenticated. Other SESSION variables are set as well (name, uid, groups, that sort of thing).Trouble is, I allow users to log into the system and host their own web pages. This means that a user can create a php file that sets the same SESSION variables and then go to my protected site and fool the authentication script. Clearly, I am doing something wrong. I would like to limit the ability of users to access SESSION - that would be the simplest method. Is there a way to do this or does somebody have a recommendation on the proper way to do this? Quote Link to comment Share on other sites More sharing options...
ToonMariner Posted April 3, 2006 Share Posted April 3, 2006 if your own secure pages are at risk you can do a couple of things.Set an extra field in your user database for super-user status. Give all those who need access to your super sensitive scripts a value and everyone else a different one. In your login script retrieve the users data and check to see if this new field allows them access - if it does set another session variable with a difficult to guess name. In your sensitive scripts check for the existence of this variable if its there let them in if not boot em out.You could request login once more on those scripts you want secure - annoying for you but they have to guess yoru login!!!Basicaly you need to implement some structure in login that affects you alone - so it doesn't matter if they can access there own session variables - so long as they don't ever hav the one set that gets you into yoru scripts then it should be good enough for you. Quote Link to comment Share on other sites More sharing options...
DrTerp Posted April 3, 2006 Author Share Posted April 3, 2006 I don't know that there is any security in a 'difficult to guess' name as the user's php script can print out the $_SESSION variable and discover every variable that is set.[!--quoteo(post=361067:date=Apr 2 2006, 08:41 PM:name=ToonMariner)--][div class=\'quotetop\']QUOTE(ToonMariner @ Apr 2 2006, 08:41 PM) [snapback]361067[/snapback][/div][div class=\'quotemain\'][!--quotec--]if your own secure pages are at risk you can do a couple of things.Set an extra field in your user database for super-user status. Give all those who need access to your super sensitive scripts a value and everyone else a different one. In your login script retrieve the users data and check to see if this new field allows them access - if it does set another session variable with a difficult to guess name. In your sensitive scripts check for the existence of this variable if its there let them in if not boot em out.You could request login once more on those scripts you want secure - annoying for you but they have to guess yoru login!!!Basicaly you need to implement some structure in login that affects you alone - so it doesn't matter if they can access there own session variables - so long as they don't ever hav the one set that gets you into yoru scripts then it should be good enough for you.[/quote] Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.