Page 2 of 2

Posted: Thu Mar 01, 2007 10:16 am
by murlopaz
I have a security concern.

Throughout my system i keep the user's id in the session, and every modification to the database is based on the session.

Know the session id is not even encrypted.

Is this a bad practice?

I would suppose that a hacker could inject sombody esle's id in the session(say the id of some admin) and then change their password.

Posted: Thu Mar 01, 2007 1:40 pm
by Mordred
murlopaz wrote:Throughout my system i keep the user's id in the session, and every modification to the database is based on the session.
Good.
[s]K[/s]now the session id is not even encrypted. Is this a bad practice?
No. Can you explain what the SID is for? What would "encryption" change? Encrypt how exactly, and swap keys how exactly?
I would suppose that a hacker could inject sombody esle's id in the session(say the id of some admin) and then change their password.
Could be, could be not. Try to do it yourself and see what happens. Read your code. How is the userId written into the session? Does this happen in a manner that is controllable by the user?

Posted: Thu Mar 01, 2007 2:10 pm
by murlopaz
I am sorry. By session id i meant the id of the user that is stored in the session.
Like:

Code: Select all

$_session["id"]=23;
Whenever there is a need to change some information about the user, the session["id"] is user for that purpose.

Posted: Thu Mar 01, 2007 2:28 pm
by Mordred
Okay then, just ignore the second part of my answer and concentrate on the third part.
If the user has control on what id is written in the session - bad. If not - good. Whether the user has control depends on your specific code, but normally the id would be SELECT-ed from the database (based on user credentials) and stored in the session, which means the user/attacker has no control over the id.

Posted: Thu Mar 01, 2007 3:35 pm
by murlopaz
yes the id is selected from the database when the user provides the correct credentials...

My concern was, that there would be a way to change a value of the session i.e. ID, after the user is logged in already.

Suppose that the id is kept in a cookie. The user can easily modify the id of the cookie to something else.
Everything else is straight forward...