Page 1 of 1

PHP Sessions security.... something

Posted: Tue Feb 19, 2008 3:59 pm
by dvdriper
hi, I'm new to php, ... have a question, :) it's not a complicated one I guess...

If I have a website, and on every page there is a condition... something like that:

Code: Select all

if (isset($_SESSION["nickname"]) and isset($_SESSION["pass"])) {
echo "<html>
... the page....
";
 
} else {
 
echo "access denied!";
exit;
}
 
I wonder, if someone on his computer makes a script like this:
<?php

Code: Select all

session_start();
 
$_SESSION['nickname'] = "whatever";
$_SESSION['nickname'] = "whatever";
 
?>
and after that enteres my site...
the script will deny him?

if no, please, what should I make to somehow protect my script....

I guess i need on every page to ask the database if there is such a session with "nickname" with such a "pass", yes?


The Ninja Space Goat - I edited your post to display the proper code bbcode tags for syntax highlighting

thx :)

Re: PHP Sessions security.... something

Posted: Tue Feb 19, 2008 4:43 pm
by Christopher
The would need to hack into your site and run that script on your server. Running that script on any other server but yours would do nothing.

Re: PHP Sessions security.... something

Posted: Tue Feb 19, 2008 4:45 pm
by dvdriper
ok, and for aditional security, i need on each page to ask the db if there is such a user for such a pass yes?

Re: PHP Sessions security.... something

Posted: Tue Feb 19, 2008 4:58 pm
by Christopher
Once you have authenticated them by checking the database username/password to confirm they are who they say they are, then you can set a value in the session that tells all the other pages to what access to grant. So you only need to go to the database once on login.