tags:

views:

218

answers:

3
+3  Q: 

PHP secure Session Check ?

Example,

i have a session that i gave to users that have maching password = stored password, like all simple login system :

if ($pSys->checkPassword($AccountData['password'], $StoredData['password'])) {  // Checks Password and Username
    $_SESSION['login'] = true;
}

so the question is, is this secure enough?

    function loginCheck() // put this on every header page that needs to be loggedin.
    {
        if ( empty( $_SESSION['login'] ))
        {
            header( 'location:index.php' );
            die();
        }
}

is there a diffrence between die() exit() ? second, some say that i should add session_regenerate_id(); ? ( is that an overkill ? ) anyway the real question is said above.

addon*

i have read http://stackoverflow.com/questions/328/php-session-security, but it seems it doesn't match my problem here ( that link is just to general ).

Thanks.

heres the checkPassword()

function checkPassword($password, $storedpassword)
{
    if($password == $storedpassword){
        return true;            
    }
}

Adam Ramadhan

+3  A: 

Answering the first part: empty and die are not comparable:

  • empty is to check if a variable does not exists or has a value equal to false (see also this type comparison table).
  • die is an alias of exit and is used to immediately abort the execution of the current script with an optional message.

Now to your authentication example: Yes, you should use session_regenerate_id to generate a new session ID and revoke the old session ID by setting the optional parameter for session_regenerate_id to true:

if (!sizeof($ErrorAccount)) { // Checks Password and Username
    session_regenerate_id(true);
    $_SESSION['login'] = true;
}

The purpose of session_regenerate_id is to avoid session fixation attacks. This will not be necessary if the server only allows session ids to be sent via cookies, but since PHP by default allows them in URL, you're strongly recommended to regenerate the id.

Gumbo  2010-07-26 18:08:30
i mean die and exit, ive just edit it, thanks gumbo, you are always great on answering questions, so using session_regenerate_id does make effect then .. hmm is that just enough ?
Adam Ramadhan  2010-07-26 18:11:05
Please explain the need for `session_regenerate_id` It would be quite useful for the answer.
George Marian  2010-07-26 18:11:05
how about the logincheck function is that just good ? no need to add things ?
Adam Ramadhan  2010-07-26 18:13:17
I don't think session hijacking is relevant here. I think you also missed the second part I've added by editing over it; you may want to put it back.
Artefacto  2010-07-26 18:15:04
@Adam Ramadhan: That depends on in what cases `$ErrorAccount` is filled. How does the authentication process look like?
Gumbo  2010-07-26 18:15:05
edited. its simple really . thanks for asking it. :) anyway if you have a good example link or code for login system its excellent ..
Adam Ramadhan  2010-07-26 18:21:48
Why is regenerate better than disallowing cookies in the URL?
le dorfier  2010-07-27 06:06:25
@ledorfier It's not about disallowing cookies in the URL, but rather using a cookie to hold the session id instead of placing it in the URL. You'd want to do both. Depending on your security needs, that may not be enough. This page in the php manual gives a brief explanation and links to a white paper (PDF) which talks about session fixation and compares it to session hijacking: http://www.php.net/manual/en/session.security.php
George Marian  2010-07-27 07:11:00
+1  A: 

Since you are looking for answers about security, also don't keep the stored password in plain text. At the very least, salt and hash your passwords, then store the hash. Rehash and compare hashes, not plain text.

Zak  2010-07-26 22:47:20
+1  A: 

You could added a token (hash) to the form and then validate the token to make sure that the token which was submitted via the form is still valid. This helps to prevent CSRF attacks.

You could also store the IP address and browser together with the token in a database for additional validation, however you need to be aware that some ISP's change the clients IP address fairly often and could cause the validation to fail incorrectly.

More Info

KSS  2010-08-10 13:46:50

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases