Check database each time user accesses a page using $_SESSIO

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
freedomflyer
Forum Newbie
Posts: 1
Joined: Mon Aug 18, 2008 2:15 pm

Check database each time user accesses a page using $_SESSIO

Post by freedomflyer »

Hello everyone,
I (FINALLY) finished my first php login scripts, and they are working flawlessly (without hackers, of course)

However, as an added measure of security, I had a thought.

Would it be smart at the time of login of the user to set two session vars of the username and password of the user, so that each time a user accesses a various page you can use the vars to check against the database that that combination actaully exists? I understand that I only make the session var once the user is authenticated, however, would it be possible for a hacker to alter these session vars in between pages and allow him access to a page? 3
Or would it be secure enough just to have one ['userWhichIsOnline'] session var which is only set if the user is authenticated?

Also, along the same lines, are session vars the de facto standard for user authentication in PHP?

Thank you for the great help as I embark on my journey of security-finding! (Dental Website + Hackers + Bad Security = BAD NEWS)
thanks!
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Check database each time user accesses a page using $_SESSIO

Post by Mordred »

Or would it be secure enough just to have one ['userWhichIsOnline'] session var which is only set if the user is authenticated?
Yes, no sense in keeping the credentials in the session (not to mention the hugely increased security risk if someone on the server steals the session data).
Also, along the same lines, are session vars the de facto standard for user authentication in PHP?
Yes, it's the most common mechanism, although there are surely others. Session vars are just a interface to a persistant storage - you can even change how sessions are stored - i.e. use database instead of flat files. So, as long as you have a place where you can reliably read and write info, it's suitable. This includes database(s), files, shared memory, even cookies (with some caveats).
Post Reply