sessions security...

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
Kyori
Forum Newbie
Posts: 23
Joined: Mon Oct 14, 2002 5:23 am
Contact:

sessions security...

Post by Kyori »

In my script I use

Code: Select all

$username = $_SESSIONSї'username']
I wonder if that is secure. I'm testing on IIS and I understand that sessions use cookies but I can't find the cookie for this one. anyway, would the above method be easy to hack or not? I'm planing to upload on tripod and then to a good server when the whole site is finished


Also, how do I pass POSTed variables w/o using inputs? Like passing them from anchors <a href>

thx
User avatar
BigE
Site Admin
Posts: 139
Joined: Fri Apr 19, 2002 9:49 am
Location: Missouri, USA
Contact:

Post by BigE »

That is fine, if you want all of the variables from $_SESSION without calling $_SESSION just do extract($_SESSION) php.net/extract Also, you can't really get POST variables from an anchor tag because that would use the GET method. Therefore you would have to pass them through the query string and use $_GET to get the variables. Hope that helps.
Kyori
Forum Newbie
Posts: 23
Joined: Mon Oct 14, 2002 5:23 am
Contact:

Post by Kyori »

I've read that it's pretty easy to steal sessions... dunno about that.

any way in javascript to POST? Anything aside from using forms?
User avatar
BigE
Site Admin
Posts: 139
Joined: Fri Apr 19, 2002 9:49 am
Location: Missouri, USA
Contact:

Post by BigE »

Its only easy to steal a session if your good at coming up with random numbers or stealing a cookie off of someone's computer. If your going to store sensitive information in the session, encrypt it. No, there is no way to get POST data besides by a form that I'm aware of.
Kyori
Forum Newbie
Posts: 23
Joined: Mon Oct 14, 2002 5:23 am
Contact:

Post by Kyori »

is there any way to encrypt in PHP. like a ready function? I can't find any.

Code: Select all

&lt;form action="action.php" method=POST&gt;
&lt;input type=hidden name="user" valuer="user100"&gt;
&lt;/form&gt;
&lt;a href="action.php"&gt;action&lt;/a&gt;

will clicking on action above pass POST data?

can anyone also help me /'w innerHTML

Code: Select all

&lt;span style="position:absolute" id="loadi"&gt;&lt;/span&gt;
&lt;script&gt;
loadi.innerHTML="LOADING";
&lt;/script&gt;
Last edited by Kyori on Wed Nov 27, 2002 11:12 am, edited 1 time in total.
User avatar
BigE
Site Admin
Posts: 139
Joined: Fri Apr 19, 2002 9:49 am
Location: Missouri, USA
Contact:

Post by BigE »

There are several encryption functions in PHP. I suggest you start checking out the string functions at php.net/strings and also md5() php.net/md5 There are of course other styles of encryption but MD5 seems to be the most popular one way hash. Hope that helps.
Kyori
Forum Newbie
Posts: 23
Joined: Mon Oct 14, 2002 5:23 am
Contact:

Post by Kyori »

this is what i did

Code: Select all

$_SESSION&#1111;'username'] = md5($username);
guess that the only (virtually) way of hacking is by stealing cookies
User avatar
BigE
Site Admin
Posts: 139
Joined: Fri Apr 19, 2002 9:49 am
Location: Missouri, USA
Contact:

Post by BigE »

Its not the only way... if they have the session ID they can pass that through the URL. Its not as easy as some people make it out to be if you code your site properly. Also, with md5() all you can do to check your data is compare an MD5 string to and MD5 string since there is no decryption for it.
Post Reply