tags:

views:

319

answers:

5
+3  Q: 

Bad handling of PHP sessions variables?

I'm currently using the following code in my cms to check if visitor is logged in as admin so that he can edit the current page:

if($_SESSION['admin']=="1")
{
        echo "<a href="foobar/?update">edit</a>";
}

But I'm worried that the code is unsafe. Can't $_session variables easily be modified by the user?

What would be a safer practice?

+3  A: 

No, that's a good way to do it. The user can't modify the $_SESSION global, unless he has access to your server. Remember to stay away from client-side cookies.

To make it even more safe, a good way is to store the IP-adress and check that it stays the same between every request.

alexn  2009-05-04 14:19:20
Thanks! Checking IP sounds good; I reckon you should store the ip directly after session_start(), e.g.:session_start()$_SESSION["visitorIp"] = $_SERVER['REMOTE_ADDR'];Right?
AquinasTub  2009-05-04 14:27:06
Checking the IP address is a bad idea actually - there are plenty of organisations with proxies that mean a user can appear to have several IP addresses. This also used to affect all AOL users - not sure if it still does.
Greg  2009-05-04 14:33:43
@AquinasTub: Not quite. You aren't checking the visitorIp, just writing it. It should look more like if isset($_SESSION['username']) {/* check user ip */ if ($_SESSION['visitorIp'] != $_SERVER['REMOTE_ADDR']) {session_unset(); header("Location: /login"); exit();} } /* Set user IP */ $_SESSION['visitorIp'] == $_SERVER['REMOTE_ADDR'];
phihag  2009-05-04 14:37:21
@Greg: No, it's not if you require proper Cookies AND the ip. It would only be unsafe if you used it as a single authentication factor.
phihag  2009-05-04 14:39:02
With IP checking, how would you handle multiple IPs? Doesn't that mean that a user can't stay logged in at multiple computers? Or worse: at the same computer if their ISP gives them different IPs each time?
Dinah  2009-05-04 15:35:49
@Dinah: Not if you create a separate session for each ip. I actually implement IP checking authentication (with others) on my PHP system, and I can be logged in from as many computers/IPs as I want. Each system/ip has its own session.
Andrew  2009-05-04 15:48:19
I would check to see if the user agent string has changed, and if so, call session_regenerate_id()
alex  2009-05-05 11:49:06
A: 

Session variables should be safe enough once your coding is secure.

Also, use the follow instead. Stops mistakes with == Probably should also use true too as it is a lot quicker than string comparisons. 

if( "1" === $_SESSION['admin'] )
Ryaner  2009-05-04 14:19:32
+1  A: 

$_SESSION variables can not be set by the user. The code is therefore perfectly fine, although you would usually ask your user backend (typically just a table users, sometimes LDAP) about the current user's privileges.

phihag  2009-05-04 14:20:05
+3  A: 

The code is OK, you're just showing a link. Just make sure that your UPDATE script is protected as well.

Mario  2009-05-04 15:27:53
+1  A: 

I found this presentation about session security

It explains how to avoid:

  • Session fixation.
  • Session hijacking.

Also the slide with more information has some really goods links

Alfred  2009-05-05 11:21:00

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases