How to set up a secure PHP Session

views:

answers:

+1 Q:

How to set up a secure PHP Session

In a similar vein to my previous question - I'm not a very experienced PHP Programmer. I know nothing about Sessions or Security (other that what I learnt an hour ago about md5 and sha1 with salt).

I have a login system, and I wish to create a session that stores and encrypted string of a user's username mixed with a timestamp. I know how to create the string, but I know nothing about Sessions or how they work.

I've spent the past hour Googling for a solution, but they all seem too basic or outdated, I'm looking for something that has concrete security, but is also simple (due to my inexperience).

How would I (on administrative pages) check to see if the user has logged in, assuming this string is encrypted?

I know there are similar questions but I need an answer from a complete layman's point of view as I do not know how to implement this solution.

Thanks for any help you can offer

+1 A:

After the user logs in, store in the session its identifier. On the administrative page, read this session value and use it to query the database to determine if the user has admin privileges. If he doesn't show an error.

Obviously, this admits variations (e.g. storing in the session a User object that already contains info about administrative status of the user).

The data in $_SESSION cannot (unless you do something very dumb) be tampered with by the client, since it's stored in the server. You don't need to encrypt or hash anything.

Artefacto 2010-08-20 12:00:04

+2 A:

I wish to create a session that stores and encrypted string of their username

Why? Unless you are decrypting it, then there's no advantage over using a hashed or even random value. And if you're decrypting it then the key must be stored in your data too - so its just security by obscurity.

How would I (on administrative pages) check to see if the user has logged in, assuming this string is encrypted?

Don't store the username in a session variable until it has been authenticated. Then if the variable is populated you know that the user has been authenticated.

symcbean 2010-08-20 12:00:23

BTW you already have a random value associated with the session - the session id.

symcbean 2010-08-20 12:01:07

Oh, I thought I had to manually set the session ID. So if I wanted to identify a particular user I could: $_SESSION['username']=$username;then on another page I could output: echo "Hello " . $_SESSION['username'];Is this the case?

Daniel Hanly 2010-08-20 12:13:15

@Daniel yes, that's the case.

Artefacto 2010-08-20 12:47:06

And would I be correct in saying when User B logs in, $_SESSION['username'] = $username is not overwritten because each $_SESSION is stored against it's session id, which would be unique for every session start?

Daniel Hanly 2010-08-20 12:58:51

yes - otherwise $SESSION would not describe the session - it would describe the system as a whole

symcbean 2010-08-23 10:37:58

There are ways of securing a PHP session, but one must first understand what level of security is needed and what does he/she achieve finally.

Here is a blog post by Corey Ballou http://www.jqueryin.com/2009/11/20/php-secure-sessions/ which I guess is nice enough to clear your doubts on securing PHP Sessions.

Aman Kumar Jain 2010-08-20 12:22:27

ansaurus

tags:

views:

answers:

How to set up a secure PHP Session

related questions