Login system and sessions (php)

Question

I've created a login page and registration page and now I want to use that to password protect pages and have pages which show information specific to that user.

Would storing the user ID of the user logged in in a Session variable be a safe and correct way of doing this?

How easy would it be for a user to change the session variable to a different ID and access another user's information, and not having to type the users login details in?

EDIT: Would posting the user ID from each page to the next be more secure?

Answer 1

Here's an article on session security

If you encrypt user name in such a way that only your PHP scripts can decrypt it then you should be safe I guess.

Answer 2

That's what session meant to be For session security, you can check http://phpsec.org/projects/guide/4.html

Answer 3

I'll talk about the default session behavior, here: sessions are based on a cookie "PHPSESSID" which is set to an MD5 checksum (32 alphanumeric characters). PHP accepts this cookie from the browser, and uses it to load server-side session data. The client has no direct way to modify data in the session, but does get to specify their own session ID.

You can add additional layers of security (SSL, checking the client IP, etc.), but by default if I know your cookie I can effectively login as you. As far as how "easy" that is, well, that depends on lots of other layers of security: is someone sniffing your traffic, do you have malware installed, etc.

Tools like Suhosin attempt to improve session security.

Answer 4

While I'm not aware of any way in which a user could manipulate the information in $_SESSION unless your code (or code on your server) allows them to, so don't do anything crazy like...

foreach($_POST as $key=>$value) { // DON'T DO THIS
    $_SESSION[$key] = $value; // DON'T DO THIS!
} // WHY ARE YOU DOING THIS!?

You shouldn't do anything like this, where you're just putting whatever data the user gives you in your $_SESSION variables. Like the database, writing to the session should be thought of as a form of output, and you should sanitize what you put in it (and where it's put) accordingly.

So, unless you're doing something crazy like this (you might be; it can be much more subtle), I don't think you have to worry about a user changing the session variable. You might have to worry about the threats of a shared hosting environment where someone who's probably not quite an end user is manipulating the session info.

What's not so safe is the session identifier, as there are a few straightforward ways to hijack a session in PHP.

I recommend checking out that book I've been linking to, Essential PHP Secutiry. It's a very small and straightforward (but thorough) explanation of several basic PHP security concepts, many of which can be generalized and should be kept in mind when doing any web dev work.