Hi all again, getting some very useful feedback to my questions, so I wanted to ask something else.
What is the safest way to navigate a signed in user around a website?
We need to know the users id through the site to make pages dynamic, but also ensure against any security issues.
I have used sessions before, and it would be possible to place the userid within this array, but is this particulaly safe?
For example,
lets say we have a login form on the index page so people can quickly log in (might include some basic JS validation for the benefit of the user, don't worry - I am not relying on this validation)
This login form data then gets sent via $_POST to sign-in.php which validates the user input to make sure it is correctly formatted (type, length and REGEX pattern), processes it and checks if it matches any userid's information in the database, if it does it returns the users id. If not, we stay on this page and it outputs an error string saying to re-enter information as it was incorrect.
If however it was successful, I then want it to automatically redirect the user to his/her profile page. Is it best that we set the session varibles on the previous sign-in.php, then retrieve this on the profile page to display their details. Is this a particular secure method, or is there a better way?
Best (safest) way for navigation
Moderator: General Moderators
-
newbie2php
- Forum Commoner
- Posts: 35
- Joined: Wed Nov 07, 2007 4:44 pm
- John Cartwright
- Site Admin
- Posts: 11470
- Joined: Tue Dec 23, 2003 2:10 am
- Location: Toronto
- Contact:
Sessions are only as safe as your filesystem. If your on a shared host that puts all it's clients session into a singular session folder, then users may be able to hijack the session. session_regenerate_id() should be used after every important action (logins, password reset, etc) and set_session_save_handler() should be used if your session folder is not secured properly (consider a database handler).
As for storing the user id an a session, yes thats perfectly fine, and common. Simply check for the existance of the session to see if he is logged in or deny him that page.
Code is helpful to see as well.
As for storing the user id an a session, yes thats perfectly fine, and common. Simply check for the existance of the session to see if he is logged in or deny him that page.
Code is helpful to see as well.
-
newbie2php
- Forum Commoner
- Posts: 35
- Joined: Wed Nov 07, 2007 4:44 pm
Thanks Jcart - great help.Jcart wrote:Sessions are only as safe as your filesystem. If your on a shared host that puts all it's clients session into a singular session folder, then users may be able to hijack the session. session_regenerate_id() should be used after every important action (logins, password reset, etc) and set_session_save_handler() should be used if your session folder is not secured properly (consider a database handler).
As for storing the user id an a session, yes thats perfectly fine, and common. Simply check for the existance of the session to see if he is logged in or deny him that page.
Code is helpful to see as well.
I am trying to find more info on the set_session_save_handler() but can not find anything, do you have any links, or was that the wrong function name?
As for code - I havn't coded these pages yet - wanted some feedback on session use before, but seems like I will do as you outlined.
- John Cartwright
- Site Admin
- Posts: 11470
- Joined: Tue Dec 23, 2003 2:10 am
- Location: Toronto
- Contact:
- Kieran Huggins
- DevNet Master
- Posts: 3635
- Joined: Wed Dec 06, 2006 4:14 pm
- Location: Toronto, Canada
- Contact: