Page 1 of 1

sessions

Posted: Mon Mar 24, 2008 2:15 am
by sorin21us
Hi,

I have an web site and I'm using sessions to keep the user logged in until he close the browser. The problem is about security, because I can open each web page, not the one with the login form, and to see the content without being logged in. So, after the user is authenticated and his name is in the session array, what should I do on each page to keep the security, too, beside the session?

Re: sessions

Posted: Mon Mar 24, 2008 3:37 am
by Christopher

Code: Select all

// at the top of pages you want to secure
session_start();
if (! isset($_SESSION['user_authenticated'])) {
     header('Location: http://mysite.com/login/');
     exit;
}

Re: sessions

Posted: Mon Mar 24, 2008 8:29 am
by sorin21us
Thank you.

Re: sessions - more question on session security.

Posted: Sat Mar 29, 2008 10:08 pm
by pen
Hi, I have a quick question.
Are there any security issue in just saving whether user is logged on or not in session and just relying on checking session variables to determine if user is indeed logged on??

example having
upon login and authentication with database

Code: Select all

 
if( checkDatabase($username, $password) ) // check username and password in database
{
    $_SESSION['bool_islogged']=true;
    $_SESSION['username'] = $username; 
}
 

when going through secured page

Code: Select all

      
if( ! $_SESSION['bool_islogged']) // if this value is false or null
{
    header("location:login.php"); // redirect to login
}
 
is this enough to just rely on sessions to determine if user is logged on?

Because previously i use to save username and lastlogintime in session and cross check with database in everypage to check if user is the actual one who has logged on. I think this is very expensive so i'm trying to go back to the simpler one by just relying on session variable to determine user logged details.

Thank you I'm really confuse as to how session could or could not be hacked or set by user without really logging in using my php form.