Session security question

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
JonnySnip3rz
Forum Newbie
Posts: 4
Joined: Sat Apr 17, 2010 8:28 am

Session security question

Post by JonnySnip3rz »

Hey guys, im pretty new to php programming so no flaming haha! Iknow that sessions are stored on the server, however im wondering this. I have created a login and a while loop pulls the info from the database where username = username blah blah anyways i store carious information in sessions i store the users Full Name, Users Email, Username and their rank. if their rank is 0 then they are standard member else admin now can a user change their session values so they could change it to maybe 1 and then they would have admin sstatus is this safe or is there a better way of doing this?

Hope someone can help thanks :)
User avatar
social_experiment
DevNet Master
Posts: 2793
Joined: Sun Feb 15, 2009 11:08 am
Location: .za

Re: Session security question

Post by social_experiment »

You could set the rank of admin (or normal user) in a database and with each 'authorization' check see if the value retrieved from the database matches the value set in a session variable. In the event of someone tampering with the value and if a match between database value and session variable cannot be found, you inform the user.

Code: Select all

<?php //retrieve value from database
 if ($_SESSION['rank'] != $rankFromDatabase) {
  //do something
 } ?>
Naturally this wouldn't be the only check but an additional precaution against such tampering.
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
JonnySnip3rz
Forum Newbie
Posts: 4
Joined: Sat Apr 17, 2010 8:28 am

Re: Session security question

Post by JonnySnip3rz »

Thanks dude :) for the reply!
Post Reply