unsubscribe/subscribe/forgotpassword security

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

murlopaz
Forum Commoner
Posts: 60
Joined: Wed Oct 11, 2006 5:02 pm
Location: Baltimore, MD, USA

Post by murlopaz »

I have a security concern.

Throughout my system i keep the user's id in the session, and every modification to the database is based on the session.

Know the session id is not even encrypted.

Is this a bad practice?

I would suppose that a hacker could inject sombody esle's id in the session(say the id of some admin) and then change their password.
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Post by Mordred »

murlopaz wrote:Throughout my system i keep the user's id in the session, and every modification to the database is based on the session.
Good.
[s]K[/s]now the session id is not even encrypted. Is this a bad practice?
No. Can you explain what the SID is for? What would "encryption" change? Encrypt how exactly, and swap keys how exactly?
I would suppose that a hacker could inject sombody esle's id in the session(say the id of some admin) and then change their password.
Could be, could be not. Try to do it yourself and see what happens. Read your code. How is the userId written into the session? Does this happen in a manner that is controllable by the user?
murlopaz
Forum Commoner
Posts: 60
Joined: Wed Oct 11, 2006 5:02 pm
Location: Baltimore, MD, USA

Post by murlopaz »

I am sorry. By session id i meant the id of the user that is stored in the session.
Like:

Code: Select all

$_session["id"]=23;
Whenever there is a need to change some information about the user, the session["id"] is user for that purpose.
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Post by Mordred »

Okay then, just ignore the second part of my answer and concentrate on the third part.
If the user has control on what id is written in the session - bad. If not - good. Whether the user has control depends on your specific code, but normally the id would be SELECT-ed from the database (based on user credentials) and stored in the session, which means the user/attacker has no control over the id.
murlopaz
Forum Commoner
Posts: 60
Joined: Wed Oct 11, 2006 5:02 pm
Location: Baltimore, MD, USA

Post by murlopaz »

yes the id is selected from the database when the user provides the correct credentials...

My concern was, that there would be a way to change a value of the session i.e. ID, after the user is logged in already.

Suppose that the id is kept in a cookie. The user can easily modify the id of the cookie to something else.
Everything else is straight forward...
Post Reply