Jump to content


Photo

PHP Session Security


  • Please log in to reply
2 replies to this topic

#1 DrTerp

DrTerp
  • New Members
  • Pip
  • Newbie
  • 2 posts

Posted 03 April 2006 - 01:25 AM

I have a PHP/LDAP authentication system that sets SESSION variables to indicate that a particular user has authenticated. Other SESSION variables are set as well (name, uid, groups, that sort of thing).

Trouble is, I allow users to log into the system and host their own web pages. This means that a user can create a php file that sets the same SESSION variables and then go to my protected site and fool the authentication script.

Clearly, I am doing something wrong. I would like to limit the ability of users to access SESSION - that would be the simplest method. Is there a way to do this or does somebody have a recommendation on the proper way to do this?



#2 ToonMariner

ToonMariner
  • Members
  • PipPipPip
  • Advanced Member
  • 3,342 posts
  • LocationNewcastle upon Tyne, UK

Posted 03 April 2006 - 01:41 AM

if your own secure pages are at risk you can do a couple of things.

Set an extra field in your user database for super-user status. Give all those who need access to your super sensitive scripts a value and everyone else a different one. In your login script retrieve the users data and check to see if this new field allows them access - if it does set another session variable with a difficult to guess name. In your sensitive scripts check for the existence of this variable if its there let them in if not boot em out.


You could request login once more on those scripts you want secure - annoying for you but they have to guess yoru login!!!

Basicaly you need to implement some structure in login that affects you alone - so it doesn't matter if they can access there own session variables - so long as they don't ever hav the one set that gets you into yoru scripts then it should be good enough for you.
follow me on twitter @PHPsycho

#3 DrTerp

DrTerp
  • New Members
  • Pip
  • Newbie
  • 2 posts

Posted 03 April 2006 - 01:47 AM

I don't know that there is any security in a 'difficult to guess' name as the user's php script can print out the $_SESSION variable and discover every variable that is set.

[!--quoteo(post=361067:date=Apr 2 2006, 08:41 PM:name=ToonMariner)--][div class=\'quotetop\']QUOTE(ToonMariner @ Apr 2 2006, 08:41 PM) View Post[/div][div class=\'quotemain\'][!--quotec--]
if your own secure pages are at risk you can do a couple of things.

Set an extra field in your user database for super-user status. Give all those who need access to your super sensitive scripts a value and everyone else a different one. In your login script retrieve the users data and check to see if this new field allows them access - if it does set another session variable with a difficult to guess name. In your sensitive scripts check for the existence of this variable if its there let them in if not boot em out.
You could request login once more on those scripts you want secure - annoying for you but they have to guess yoru login!!!

Basicaly you need to implement some structure in login that affects you alone - so it doesn't matter if they can access there own session variables - so long as they don't ever hav the one set that gets you into yoru scripts then it should be good enough for you.
[/quote]





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users