tags:

views:

36

answers:

3
+1  Q: 

php: securing sensitive page functions

I'm new to PHP and trying to get my head around security.

I have an admin page that gives access to certain administrative tasks. Right now, it lets you repopulate database tables with some seed data.

To access the admin page, you first need to login. Currently the login is not over https (it will be soon).

If you authenticate, a token is written into $_SESSION. In every admin page, the token is checked. If invalid, the page is redirected to the login page.

My question:

Is this the proper way to "lock" down sensitive administrative tasks in PHP? Checking a value inside the $_SESSION variable? What more should I be doing?

+2  A: 

That's pretty much the standard way to do it. Authenticate the user against your user database / password file / some other authentication data, store the state of authentication in a session variable and finally check whether the session variable is properly set every time the user attempts to make an action that requires authorization.

code_burgar  2010-03-10 09:06:16
Cool beans. Thanks!
Alan  2010-03-10 09:14:06
+1  A: 

Session IDs are stored client-side usually as a cookie. If someone steals the cookie, they can hijack the session. Even if you use a secure connection for the login, later, unsecured requests will send it over the wire, and any XSS vulnerabilities can be used to capture the session cookie regardless of encrypted communication. Use session_set_cookie_params to limit the subdomain and path of the pages the cookie is sent to.

You can try to use non-spoofable client data to detect hijacking. Since you don't have control over the protocol, about the only such data is the remote IP, though an attacker can make a blind attack while spoofing their IP. However, this doesn't protect against hijackers behind the same NAT as the valid user and has problems with proxied requests.

You might be able to work out something with HTTP digest access authentication. It's a challenge-response authentication protocol and thus designed to work without protocol-level encryption. However, it's based on MD5, which has known weaknesses. Considering the life of the challenge, this may not be an issue. Digest auth is vulnerable to a man-in-the-middle attack.

outis  2010-03-10 09:18:12
+1  A: 

You could look into role based Access Control Lists if you need a more fine grained level of control. This way, authenticated users are granted or denied access to certain parts of your application based on the role you have given them. This is an additional security measure on top of regular password authentication.

If you only got one user, e.g. the admin, ACL is overkill though.

Gordon  2010-03-10 09:24:29

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases