PHP Sessions security.... something

Not for 'how-to' coding questions but PHP theory instead, this forum is here for those of us who wish to learn about design aspects of programming with PHP.

Moderator: General Moderators

Post Reply
dvdriper
Forum Newbie
Posts: 2
Joined: Tue Feb 19, 2008 3:52 pm

PHP Sessions security.... something

Post by dvdriper »

hi, I'm new to php, ... have a question, :) it's not a complicated one I guess...

If I have a website, and on every page there is a condition... something like that:

Code: Select all

if (isset($_SESSION["nickname"]) and isset($_SESSION["pass"])) {
echo "<html>
... the page....
";
 
} else {
 
echo "access denied!";
exit;
}
 
I wonder, if someone on his computer makes a script like this:
<?php

Code: Select all

session_start();
 
$_SESSION['nickname'] = "whatever";
$_SESSION['nickname'] = "whatever";
 
?>
and after that enteres my site...
the script will deny him?

if no, please, what should I make to somehow protect my script....

I guess i need on every page to ask the database if there is such a session with "nickname" with such a "pass", yes?


The Ninja Space Goat - I edited your post to display the proper code bbcode tags for syntax highlighting

thx :)
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Re: PHP Sessions security.... something

Post by Christopher »

The would need to hack into your site and run that script on your server. Running that script on any other server but yours would do nothing.
(#10850)
dvdriper
Forum Newbie
Posts: 2
Joined: Tue Feb 19, 2008 3:52 pm

Re: PHP Sessions security.... something

Post by dvdriper »

ok, and for aditional security, i need on each page to ask the db if there is such a user for such a pass yes?
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Re: PHP Sessions security.... something

Post by Christopher »

Once you have authenticated them by checking the database username/password to confirm they are who they say they are, then you can set a value in the session that tells all the other pages to what access to grant. So you only need to go to the database once on login.
(#10850)
Post Reply