Best (safest) way for navigation

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
newbie2php
Forum Commoner
Posts: 35
Joined: Wed Nov 07, 2007 4:44 pm

Best (safest) way for navigation

Post by newbie2php »

Hi all again, getting some very useful feedback to my questions, so I wanted to ask something else.

What is the safest way to navigate a signed in user around a website?

We need to know the users id through the site to make pages dynamic, but also ensure against any security issues.

I have used sessions before, and it would be possible to place the userid within this array, but is this particulaly safe?


For example,

lets say we have a login form on the index page so people can quickly log in (might include some basic JS validation for the benefit of the user, don't worry - I am not relying on this validation)

This login form data then gets sent via $_POST to sign-in.php which validates the user input to make sure it is correctly formatted (type, length and REGEX pattern), processes it and checks if it matches any userid's information in the database, if it does it returns the users id. If not, we stay on this page and it outputs an error string saying to re-enter information as it was incorrect.

If however it was successful, I then want it to automatically redirect the user to his/her profile page. Is it best that we set the session varibles on the previous sign-in.php, then retrieve this on the profile page to display their details. Is this a particular secure method, or is there a better way?
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

Sessions are only as safe as your filesystem. If your on a shared host that puts all it's clients session into a singular session folder, then users may be able to hijack the session. session_regenerate_id() should be used after every important action (logins, password reset, etc) and set_session_save_handler() should be used if your session folder is not secured properly (consider a database handler).

As for storing the user id an a session, yes thats perfectly fine, and common. Simply check for the existance of the session to see if he is logged in or deny him that page.

Code is helpful to see as well.
newbie2php
Forum Commoner
Posts: 35
Joined: Wed Nov 07, 2007 4:44 pm

Post by newbie2php »

Jcart wrote:Sessions are only as safe as your filesystem. If your on a shared host that puts all it's clients session into a singular session folder, then users may be able to hijack the session. session_regenerate_id() should be used after every important action (logins, password reset, etc) and set_session_save_handler() should be used if your session folder is not secured properly (consider a database handler).

As for storing the user id an a session, yes thats perfectly fine, and common. Simply check for the existance of the session to see if he is logged in or deny him that page.

Code is helpful to see as well.
Thanks Jcart - great help.

I am trying to find more info on the set_session_save_handler() but can not find anything, do you have any links, or was that the wrong function name?

As for code - I havn't coded these pages yet - wanted some feedback on session use before, but seems like I will do as you outlined.
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

Sorry, it was session_set_save_handler() ;)
User avatar
Kieran Huggins
DevNet Master
Posts: 3635
Joined: Wed Dec 06, 2006 4:14 pm
Location: Toronto, Canada
Contact:

Post by Kieran Huggins »

DB sessions have the added bonus of being cluster-safe.

Anyone know a down-side (besides extra config)?
Post Reply