• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

PHP question: how safe is using $_SESSION for authentication control

A

Alex

Diamond Member
so far i've been controlling user access and logon by checking $_SESSION variables which are set when the user logs on or off.

i'm about to start a larger-scale project and i was wondering how safe this is?
i usually store plaintext integers in session variables that determine what the user's access level is... should i add an md5 or something to complicate it or is it ok as it is?

thanks

Alex
 
I believe that is pretty safe. I added a 2 steps in my auth functions to match the session against a cookie, and the session against a database entry for extra security. In my mind, if someone gains access to the session, they will also need access the cookie and database in order to log in. I don't know how much safer it actually makes it, but it gives me a warm, fuzzy feeling, so it must be working... right?
 
Originally posted by: troytime
define 'larger-scale'?

sessions aren't very friendly once the site has more than one webserver
Click to expand...

definitely one webserver only 🙂

Originally posted by: ZeroIQ
I believe that is pretty safe. I added a 2 steps in my auth functions to match the session against a cookie, and the session against a database entry for extra security. In my mind, if someone gains access to the session, they will also need access the cookie and database in order to log in. I don't know how much safer it actually makes it, but it gives me a warm, fuzzy feeling, so it must be working... right?
Click to expand...


could you explain your method in more detail please?
 
The safety of $_SESSION variables is only as safe as the safety of the location where the session data is stored as files. That is why you want to have every website on a server have its own location for session files if possible. This also goes for Mysql data base files.
 
but from what i gather sessions sometimes use cookies to work so if i stored something like $_SESSION['auth']="admin", would that show up as a cookie on the users computer?

*goes to test this on localhost right now*
 
$_SESSION is an array of session specific variables. Cookies will only exist if you specifically define them.

edit - Too clarify, all session variable tracking is done server side like the php. So the answer to your most recent question is no.
 
No the session id is propogated through the cookie not the session data which is stored on the server. You will see a cookie in your browser called PHPSESSID and the content will contain the encoded session id.

You could then look on your server's hard drive where the php session_save_path() function points to and see a new file made when you ran the script from your browser.

 
How are you handling the case for when the user does not explicitly log out but the session times out and expires? You will not be able to check the values of the session variables because the variables would no longer exist, no?
 
Well some sort of basic session checking is what everyone needs to do. Something like :

if (!isset( $_SESSION )) {
session_start();
}

 
You must log in or register to reply here.

TRENDING THREADS

Back
Top