Session Security?

Is it secure to use If ($_SESSION[‘authenticated’] == true) /////Show secure pageCan someone just go and change where the session variable is stored to make their $_SESSION[‘autheticated’] = to true?Same thing with a user having $_SESSION[‘id’] = to their index id. How would I be able to make this securer? Could someone just go and change the id …

via PHP Website Development » Search Results » ajax:

Session Security?

Is it secure to use
If ($_SESSION[‘authenticated’] == true)
/////Show secure page
Can someone just go and change where the session variable is stored to make their $_SESSION[‘autheticated’] = to true?
Same thing with a user having $_SESSION[‘id’] = to their index id. How would I be able to make this securer? Could someone just go and change the id value and impersonate another user?
Would the below method be the right way to make something securer?
$_SESSION[‘random_check’] = (random number) and also store this in a column in my database and each time I would
If ($_SESSION[‘authenticated’] == true && $_SESSION[‘random_check’] == random_number )
/////Then show secure page
Thanks,

I’m pretty sure Session in most hosting is just an interface to your filesystem, i.e. all Session data is stored in the server’s hard disk, if you look at phpinfo() output, you can have a look at where the actual path of Session data is.
With that said, unless you chmod your session path to 777 and the attacker happens to know where you are hosting your app and has the login, then I don’t think it’s much of an issue.
The bigger issue here is securing your cookie as it’s the piece of information that’s going back and forth through your server and client, which attackers can use to impersonate legit users.

Yes,Is it secure to use. I use this. I do this: -check login,if is an valid login , set $_SESSION[‘logged’] = ‘yes’ and generate um token $_SESSION[‘token’] = ‘the token’ this token, I save in an input html element and check in each action. something like:

class token

public function generateToken()

return $_SESSION[‘token’] = md5( microtime() );

function generateField($name = “token”)

return ““;

}

public function getToken()

return $_SESSION[‘token’];

public function getTokenFromFields($method = “GET”)

return strtoupper($method) == “GET” ? $_GET[‘token’] : $_POST[‘token’];

public function checkToken()

return $this -> getToken() == $this -> getTokenFromFields();

public function updateToken()
$_SESSION[‘token’] = md5( microtime() );

}

?>

//orther file
require ‘class.token.php’;
$token = new token();
$Atoken = $token -> generateToken();
echo ““;
$token -> generateField();
?>

In process.php:
if($_SESSION[‘token’] == $_GET[‘token’])
//do something
else die(‘bad token’);
?>

For more info: Session Security?

PHP Website Development » Search Results » ajax

Session Security?

Share this post:

Related Posts

Leave a Comment