Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
383 views
in Technique[技术] by (71.8m points)

php - Is this a safe use of Session Variables?

I used $_SESSION['name'] to handle data from page to page. I mainly used it to keep the user logged in between pages. Within every page, i check if $_SESSION[logged_in'] is true or not. If true, keep user logged in. Otherwise, do something else.

This is how i handle my sessions - basic sample:

<?php

session_start();

if($_SESSION['logged_in'])
{
   //show control panel list
}
else
{
     //show login box. Once user logs in. Once user logs in,
     //fetch userID, username, etc from database. Also set 
     //$_SESSION['logged_in'] = true.
}

?>

Somewhere in between codes i do the following:

SELECT * FROM User WHERE userID = $_SESSION['userID'];

I'm not sure if $_SESSION['userID'] would be accessible by users or not. If its accessible, then the page would be in threat because a user could change the userID manually and get access to others account he/she desires.

I'm not much into security. Please advice! What can i do?

Note: i'm trying to make code as simple as possible. For now, no oop is involved.

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

Your code is vulnerable to session fixation and session hijacking attacks. See http://phpsec.org/projects/guide/4.html for more information.

As you build bigger, more involved applications, you will also want to be careful how you handle logging the user out and handling other session-related aspects, such as privilege escalation. Handling sessions and logins safely is a tricky beast.

Implementing secure authentication is hard. Unless you are doing it as an academic exercise, i would strongly recommend using the library provided by your framework, if you are lucky enough to have a good one.

You will also want to consider things such as the following:

  • Do not allow the session id to be forced. [session fixation]
  • When permissions or credentials are changed (e.g. because the user has now logged in or out) then immediately invalidate the session and start a fresh one.
  • Provide a logout feature, and be sure to invalidate the session upon logout.
  • Set the session cookie to HttpOnly -Preferably, require HTTPS and alo set the cookie to secure only.
  • Consider restricting the session validity to include checking some other information that helps to match the user e.g. user-agent. [session hijacking]
  • Always expire sessions after non-use and do not implement "keep me logged in" by reconnecting the user to their old http session.
  • Ensure that all session-related data is destroyed when a session is invalidated, regardless of where it is stored. A new user coming along, may just happen to get assigned a session id that has been used previously. This new session must not have any access to session data that has been set previously against that session id.

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...