Sessions Security

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply

Sessions or Cookies

Cookies
0
No votes
Cookies
0
No votes
SSL
1
100%
Other
0
No votes
 
Total votes: 1

icesolid
Forum Regular
Posts: 502
Joined: Mon May 06, 2002 9:36 pm
Location: Buffalo, NY

Sessions Security

Post by icesolid »

I currently use sessions for users logging on to a client's web site. I know that the method I use is not secure. I was wondering how I could make the login.php script more secure (md5, different session settings, naming the session), the somepage.php more secure and if the logout.php script is adequate. I really don't think I need to save the session_id() because all I am using the session for is to gain access, after they log out I don't want any thing saved as far as sessions go, I want them all erased on logout, even the session_id if possible? The code I currently use is listed below:

login.php

Code: Select all

<?php
include("connect.php");

$username = strtolower(trim($_POST["username"]));
$password = strtolower(trim($_POST["password"]));

$result = mysql_query("SELECT * FROM users WHERE username='$username' && password='$password'");
$row = mysql_fetch_array($result);

if(!$_POST["username"]) {
    header("Location: index.php");
} elseif(!$_POST["password"]) {
    header("Location: index.php");
} elseif($username == $row["username"] && $password == $row["password"]) {
    $result = mysql_query("SELECT username,user_code,account_type FROM users WHERE username='$username'");
    $row = mysql_fetch_array($result);

    session_start();
    $_SESSION["user"] = $row["username"];
    $_SESSION["user_code"] = $row["user_code"];
    $_SESSION["account_type"] = $row["account_type"];    

    header("Location: index.php");
} else {
    header("Location: index.php");
}
?>
somepage.php

Code: Select all

<?php
session_start();

if($_SESSION["account_type"] !== "Customer") {
    // Do not allow access
    header("Location: logout.php");
}

if($_SESSION["account_type"] == "Customer") {
    // Allow access
}
?>
logout.php

Code: Select all

<?php
session_start();
session_unset();
$_SESSION = array();
session_destroy();

header("Location: index.php");
?>
P.S. Sorry about the duplicate options on the poll, when I came back in to edit them they were not available for edit.

feyd | I've rebuilt your poll.
icesolid
Forum Regular
Posts: 502
Joined: Mon May 06, 2002 9:36 pm
Location: Buffalo, NY

Post by icesolid »

Any one with suggestions?
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Post by Christopher »

Here are a couple of quick things about the code, ignoring the broader security issues of using sessions.

- Use preg_replace to clean your usernames and passwords.

- Don't force passwords to lowercase because mixed case passwords are harder to guess

- I think the code could be just:

Code: Select all

if(isset($_SESSION["account_type"]) && ($_SESSION["account_type"] != "Customer")) {
    // Do not allow access
    header("Location: logout.php");
} else {
    // Allow access
}
(#10850)
User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

Post by s.dot »

hmm, the poll

Sessions or Cookies
Cookies
Cookies
SSL
Other

haha where's the session choice :P
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
User avatar
shiznatix
DevNet Master
Posts: 2745
Joined: Tue Dec 28, 2004 5:57 pm
Location: Tallinn, Estonia
Contact:

Post by shiznatix »

i use sessions because I never want to turn a user away from my website for any reasons (ie, disabling cookies). I only use cookies as a optional feature (auto login) kinda deal. Cookies can be stolen easier than a session.

I did not vote because of the option for a session was not there.
User avatar
Buddha443556
Forum Regular
Posts: 873
Joined: Fri Mar 19, 2004 1:51 pm

Post by Buddha443556 »

shiznatix wrote:Cookies can be stolen easier than a session.
Not sure what you meant by that?
icesolid
Forum Regular
Posts: 502
Joined: Mon May 06, 2002 9:36 pm
Location: Buffalo, NY

Post by icesolid »

The option for sessions was there when I posted the poll, I'm not sure what happened to it?

That's what I would have voted for!
User avatar
Maugrim_The_Reaper
DevNet Master
Posts: 2704
Joined: Tue Nov 02, 2004 5:43 am
Location: Ireland

Post by Maugrim_The_Reaper »

I would say sessions normally - no data is sent as clear text across the network, just a session id, and some minor Cookie data you might require for maybe a remember-me feature.
- Use preg_replace to clean your usernames and passwords.
Lets not forget ctype_alpha(), ctype_alnum(), etc.
Post Reply