tags:

views:

66

answers:

3
Q: 

PHP sessions; How should I solve this big security problem?

I am fairly new to sessions.

I have a classifieds website, and users may chose to "EDIT" their classifieds.

All they have to enter is a password which they chose when creating the classified.

In the "edit.php" page, if the password is correct, the classified details show up. There is a picture upload tool, which reloads the page but uploads a picture at the same time, and previews to the user.

The problem is that when the pic is uploaded, I don't want the page to ask for password again. (this because the page reloads) Not so nice if password was required for every pic upload.

So I have set a session variable like this:

 if($pass==$row['pass']){ $_SESSION['correct_pass']=1; }

then in edit.php on reload, I check against this condition:

 if($pass==$row['pass'] || $_SESSION['correct_pass']==1){
    EDIT AD HERE
 }

The problem (BIG PROBLEM) is that once the user enters a correct password, the SESSION['correct_pass'] is created and set to 1.

After this, the user may click "back" on browser and enter another classifieds ID nr in the URL, and the PHP Session will think the password is still okay.

So in other words, one might change other peoples classified if you figure this out.

How should solve this?

If you need more input let me know...

Below are a few lines of code which further describes edit.php file (not tested):

//FIRST VISIT TO "EDIT.PHP?ad_id=ID_OF_CLASSIFIED_HERE"
if($todo==0){
  //User is shown 2 radios, and a password form, and choses either to remove classified, or change classified
}

//REMOVE CLASSIFIED
if($todo==1){
   //User has chosen to remove a classified
    if($pass==$row['pass']){ 
        //DELETE CLASSIFIED
    }
    if($pass!=$row['pass']){
        //SHOW WRONG PASSWORD WARNING
    }
 }

 if($todo==2){
   //User has chosen to change a classified
   if($pass==$row['pass'] || $_SESSION['correct_pass']==1){
        if(!isset($_SESSION['correct_pass'])){
            $_SESSION['correct_pass']=1;
        }
    //EDIT AD HERE
   }
   else {
    //SHOW WRONG PASSWORD WARNING
   }
 }

Thanks

+3  A: 

Instead of storing a flag whether the user has entered a correct password or not, store a hash of the password in the session. Then when they try and edit a classified, compare the hash of the password in the session with the hash of the password used to create the classified.

Salt the password with the userid (if you have one), and that should protect against collisions of shitty passwords.

taspeotis  2010-10-24 11:40:40
Okay, sounds good. By salting the password, you mean to salt the hashed password which is stored in the session right?
Camran  2010-10-24 11:46:46
A simple way is to make it a component of your hash function, eg `function hash($userid, $password) { return md5($userid . $password); }` - note that using the UserID is quite a simple example. A even more secure solution is to generate a random salt value for each user (e.g. `Q5%`), so you append the salt value for the user to their password before you hash it.
taspeotis  2010-10-24 11:50:05
@taspeotis first of all md5 should bever be used, sha1 is far more secure an sha256 is far more secure than that. 2nd of all salting with a userid is doesn't make any sense, the salt is so small that a generic alpha-numeric rainbow table is going to break it.
Rook  2010-10-24 20:44:25
A: 

Why not just store a list of the items they are authorized for such as:

$_SESSION['authorizedPages']['pageID'];



if (isset($_SESSION['authorizedPages']['pageID']) == false) 
{
    echo loginForm;
}
else
{
    echo editForm;
}
Anthony Greco  2010-10-24 11:47:15
You're trusting the user to never modify their session variables.
taspeotis  2010-10-24 11:52:25
are you sure your not thinking of $_COOKIE instead of $_SESSION? A Session is stored locally on your server and a user has no way to change it. All that is stored on their computer is a session hash that tells your web server (Apache), "Hey session ABC is mine so load that for me". If it were a cookie they could mod it, but moding their session variable would basically just give them a new session
Anthony Greco  2010-10-24 11:54:53
+1  A: 

Let me suggest one possible approach to such kind of proplems.

You may generate some long random string (uploadId), remember it on server side (in database / session) and pass as additional request parameter in hidden input element.

Then, when image is uploaded, you may compare these values and check, whether any image was already uploaded with this "uploadId". If that's the first time image with this uploadId comes, then you should remember on server-side, that this uploadId was already used once, and accept upload.

Already used uploadId values may be removed after some timeout / after user logout.

Kel  2010-10-24 11:51:53

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases