sessions

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
sorin21us
Forum Newbie
Posts: 9
Joined: Mon Feb 11, 2008 9:25 am

sessions

Post by sorin21us »

Hi,

I have an web site and I'm using sessions to keep the user logged in until he close the browser. The problem is about security, because I can open each web page, not the one with the login form, and to see the content without being logged in. So, after the user is authenticated and his name is in the session array, what should I do on each page to keep the security, too, beside the session?
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Re: sessions

Post by Christopher »

Code: Select all

// at the top of pages you want to secure
session_start();
if (! isset($_SESSION['user_authenticated'])) {
     header('Location: http://mysite.com/login/');
     exit;
}
(#10850)
sorin21us
Forum Newbie
Posts: 9
Joined: Mon Feb 11, 2008 9:25 am

Re: sessions

Post by sorin21us »

Thank you.
pen
Forum Newbie
Posts: 1
Joined: Sat Mar 29, 2008 9:58 pm

Re: sessions - more question on session security.

Post by pen »

Hi, I have a quick question.
Are there any security issue in just saving whether user is logged on or not in session and just relying on checking session variables to determine if user is indeed logged on??

example having
upon login and authentication with database

Code: Select all

 
if( checkDatabase($username, $password) ) // check username and password in database
{
    $_SESSION['bool_islogged']=true;
    $_SESSION['username'] = $username; 
}
 

when going through secured page

Code: Select all

      
if( ! $_SESSION['bool_islogged']) // if this value is false or null
{
    header("location:login.php"); // redirect to login
}
 
is this enough to just rely on sessions to determine if user is logged on?

Because previously i use to save username and lastlogintime in session and cross check with database in everypage to check if user is the actual one who has logged on. I think this is very expensive so i'm trying to go back to the simpler one by just relying on session variable to determine user logged details.

Thank you I'm really confuse as to how session could or could not be hacked or set by user without really logging in using my php form.
Post Reply