$_SESSION

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
9902468
Forum Commoner
Posts: 89
Joined: Thu Jun 06, 2002 6:39 am
Location: Europe

$_SESSION

Post by 9902468 »

I'm writing authentication code.

Is there any possible way one can access/alter/erase my session data through browser (Or any kind http connection)

Is sending password and username as post data as "secure"
as sending http auth headers to browser? (And thus getting passwords and usernames.)

If I understand correctly php sessions use cookies to store session id in client side? This is possible security threat too, right?

My idea is to check passwords and usernames only once and set a flag like $_SESSION["all_ok"] = "TRUE"; Then I can check only that variable, and if that is ok I can continue to execute script. (Checking happens as first thing in a page.) Also I thought about setting a cookie that contains another id and time, if (servertime - cookie time) > 10 min stop session. So if all these three things (and possibly some more) are ok (flag, time, my own id) user is considered authenticated. Are there any obvious security threats that I'm missing?

Are there any reasons why I shouldn't store password and username to $_SESSION? If it really is secure, it is also safe to save anything there?

What are the advantages if I use Mohawk Softwares session handler?
User avatar
roninblade
Forum Newbie
Posts: 21
Joined: Thu Jun 13, 2002 7:12 pm

Post by roninblade »

here's a very good discussion i found over at the devshed php forums on PHP Security Issues. its a must read for newbies.
DSM
Forum Contributor
Posts: 101
Joined: Thu May 02, 2002 11:51 am
Location: New Mexico, USA

Post by DSM »

Excellent article, like roninblade said a must read for everyone.
User avatar
BDKR
DevNet Resident
Posts: 1207
Joined: Sat Jun 08, 2002 1:24 pm
Location: Florida
Contact:

Mas en seguridad

Post by BDKR »

Hey Roninblade,

I just read that bit on devshed about security and it is indeed something that should be talked about more in the community. Perhaps there should be a php faq on this topic, or even a web site dedicated to this.

As for the question
Is sending password and username as post data as "secure"
as sending http auth headers to browser? (And thus getting passwords and usernames.)
I would say that neither of them are secure at all. I'm not 100% sure about http auth headers, but I know that using the POST method is only as secure as not showing the information in the url. However, a packet sniffer or something could easily read all the information that is sent from the form.

In my opinion, if you don't have a secure (https) connection, encrypt (hash) passwords client side. There are md4, md5, sha1, and I think Haval javascripts out there.

Oh well.......

Later on,
BDKR (TRC)
Post Reply