Jump to content

PHP Session Security


DrTerp

Recommended Posts

I have a PHP/LDAP authentication system that sets SESSION variables to indicate that a particular user has authenticated. Other SESSION variables are set as well (name, uid, groups, that sort of thing).

Trouble is, I allow users to log into the system and host their own web pages. This means that a user can create a php file that sets the same SESSION variables and then go to my protected site and fool the authentication script.

Clearly, I am doing something wrong. I would like to limit the ability of users to access SESSION - that would be the simplest method. Is there a way to do this or does somebody have a recommendation on the proper way to do this?

Link to comment
Share on other sites

if your own secure pages are at risk you can do a couple of things.

Set an extra field in your user database for super-user status. Give all those who need access to your super sensitive scripts a value and everyone else a different one. In your login script retrieve the users data and check to see if this new field allows them access - if it does set another session variable with a difficult to guess name. In your sensitive scripts check for the existence of this variable if its there let them in if not boot em out.


You could request login once more on those scripts you want secure - annoying for you but they have to guess yoru login!!!

Basicaly you need to implement some structure in login that affects you alone - so it doesn't matter if they can access there own session variables - so long as they don't ever hav the one set that gets you into yoru scripts then it should be good enough for you.
Link to comment
Share on other sites

I don't know that there is any security in a 'difficult to guess' name as the user's php script can print out the $_SESSION variable and discover every variable that is set.

[!--quoteo(post=361067:date=Apr 2 2006, 08:41 PM:name=ToonMariner)--][div class=\'quotetop\']QUOTE(ToonMariner @ Apr 2 2006, 08:41 PM) [snapback]361067[/snapback][/div][div class=\'quotemain\'][!--quotec--]
if your own secure pages are at risk you can do a couple of things.

Set an extra field in your user database for super-user status. Give all those who need access to your super sensitive scripts a value and everyone else a different one. In your login script retrieve the users data and check to see if this new field allows them access - if it does set another session variable with a difficult to guess name. In your sensitive scripts check for the existence of this variable if its there let them in if not boot em out.
You could request login once more on those scripts you want secure - annoying for you but they have to guess yoru login!!!

Basicaly you need to implement some structure in login that affects you alone - so it doesn't matter if they can access there own session variables - so long as they don't ever hav the one set that gets you into yoru scripts then it should be good enough for you.
[/quote]
Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.