PHP session hijacking

[chrischen]

I'm trying to secure mywebsite before launch and I read some stuff about PHP session hijacking.

 

Right now when a user login I just check their password and username against the database and if it checks out I put their first name, and their unique user Id in a session variable. For any pages that require login I just check to see if the user ID session variable is set. Any security risks with this?

[Steve Angelis]

I would use an MD5 encyption also.

[chrischen]

Well yea i use sha1. I was just wondering if anything else in  terms of sessions. Like perhaps storing the hashed password in the session too and checking it with the user id on every restricted page?

[haku]

The way you are doing it is a safe way. Only store one variable in your sessions, and anytime anything needs to be checked, use that variable to do a database query.

 

However, if you have an admin section of your site, it would be best to store that as a separate session variable that is only ever stored on the computers of those with admin status. You should also have the admin table in your database stored as a completely separate table. The reason for this is that a person could potentially hack their session variable and find out their user id, then just start trying user IDs at random until they find one that is an admin. If the admin details are stored in a separate table, and a check is done with an entirely different session variable, they will never have the session variable on their computer to be able to hack, and hacking the one that they do have wont produce any results.

[chrischen]

But if i were to store the hashed password in a variable after login and check on every restricted page wouldn't that prevent the random guessing of user id problem?