Are Sessions safe with only a username

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
miloske
Forum Newbie
Posts: 4
Joined: Fri Sep 26, 2008 10:58 am

Are Sessions safe with only a username

Post by miloske »

On login page, I use this

Code: Select all

//validation completed and OK
$_SESSION['user']=$username;
later, on each page I use

Code: Select all

if   (!isset ($_SESSION['user'])){
die;
}
else{
//run the page
}
 
I don't use cookies.

Is this safe enough? Could users somehow switch value of the session and be treated as other user? This would be really bad for me, because I use username from that session not just for authentication, but for everything else, for example, when I need to write to database, and I need User_id, I query the database like this

Code: Select all

 
$user=$_SESSION['user'];
$query=mysql_query("SELECT id FROM table WHERE username='$user'");
Administrator panel is out of reach (because it uses separate session - $_SESSION['admin']), but someone could pretend to be other user and mess up with their profile.

So - is it possible to someone to change value of a session (I know it shouldn't be because sessions are stored on the server), and should I add some random data to my sessions?
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Are Sessions safe with only a username

Post by Mordred »

1. When you say session_start(), you're most probably using cookies - they are the link between the user and his session.
2. Use mysql_real_escape_string on the username before the DB query.
miloske
Forum Newbie
Posts: 4
Joined: Fri Sep 26, 2008 10:58 am

Re: Are Sessions safe with only a username

Post by miloske »

Mordred wrote:2. Use mysql_real_escape_string on the username before the DB query.
I'm already using:

Code: Select all

 
if(!get_magic_quotes_gpc()){
$username=addslashes($username);
}

Should I change it to what you said (then I would have to use stripslashes, right)?
User avatar
papa
Forum Regular
Posts: 958
Joined: Wed Aug 27, 2008 3:36 am
Location: Sweden/Sthlm

Re: Are Sessions safe with only a username

Post by papa »

I use a code snippet from php.net for killing sessions:

Code: Select all

 
//if not valid username etc
session_unset();
session_destroy();
$_SESSION = array();
 
Simple mysql escape:

Code: Select all

 
$query = sprintf("SELECT user_name, password FROM ".$user_table." WHERE user_name ='%s' AND password ='%s'", 
mysql_real_escape_string($user_name, $link),
mysql_real_escape_string($password, $link));
shaneiadt
Forum Newbie
Posts: 10
Joined: Sat Mar 15, 2008 9:26 pm

Re: Are Sessions safe with only a username

Post by shaneiadt »

A session is a type of cookie essentially :)
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Are Sessions safe with only a username

Post by Mordred »

shaneiadt wrote:A session is a type of cookie essentially :)
... not.
miloske
Forum Newbie
Posts: 4
Joined: Fri Sep 26, 2008 10:58 am

Re: Are Sessions safe with only a username

Post by miloske »

Thanks for your replies, they are really helpful.
Post Reply