Jump to content

Archived

This topic is now archived and is closed to further replies.

DrTerp

PHP Session Security

Recommended Posts

I have a PHP/LDAP authentication system that sets SESSION variables to indicate that a particular user has authenticated. Other SESSION variables are set as well (name, uid, groups, that sort of thing).

Trouble is, I allow users to log into the system and host their own web pages. This means that a user can create a php file that sets the same SESSION variables and then go to my protected site and fool the authentication script.

Clearly, I am doing something wrong. I would like to limit the ability of users to access SESSION - that would be the simplest method. Is there a way to do this or does somebody have a recommendation on the proper way to do this?

Share this post


Link to post
Share on other sites
if your own secure pages are at risk you can do a couple of things.

Set an extra field in your user database for super-user status. Give all those who need access to your super sensitive scripts a value and everyone else a different one. In your login script retrieve the users data and check to see if this new field allows them access - if it does set another session variable with a difficult to guess name. In your sensitive scripts check for the existence of this variable if its there let them in if not boot em out.


You could request login once more on those scripts you want secure - annoying for you but they have to guess yoru login!!!

Basicaly you need to implement some structure in login that affects you alone - so it doesn't matter if they can access there own session variables - so long as they don't ever hav the one set that gets you into yoru scripts then it should be good enough for you.

Share this post


Link to post
Share on other sites
I don't know that there is any security in a 'difficult to guess' name as the user's php script can print out the $_SESSION variable and discover every variable that is set.

[!--quoteo(post=361067:date=Apr 2 2006, 08:41 PM:name=ToonMariner)--][div class=\'quotetop\']QUOTE(ToonMariner @ Apr 2 2006, 08:41 PM) [snapback]361067[/snapback][/div][div class=\'quotemain\'][!--quotec--]
if your own secure pages are at risk you can do a couple of things.

Set an extra field in your user database for super-user status. Give all those who need access to your super sensitive scripts a value and everyone else a different one. In your login script retrieve the users data and check to see if this new field allows them access - if it does set another session variable with a difficult to guess name. In your sensitive scripts check for the existence of this variable if its there let them in if not boot em out.
You could request login once more on those scripts you want secure - annoying for you but they have to guess yoru login!!!

Basicaly you need to implement some structure in login that affects you alone - so it doesn't matter if they can access there own session variables - so long as they don't ever hav the one set that gets you into yoru scripts then it should be good enough for you.
[/quote]

Share this post


Link to post
Share on other sites

×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.