Making User Login System Secure with $_SESSION in PHP [closed]

Question

I am hoping that someone can help me out here, I am creating a PHP web app that requires a user to login to view there data in the mysql database.

I just want to know if this is a good approach and is it secure enough? I know that nothing is secure in PHP scripting but I need this fairly secure.

So here is what I am doing step by step, if you could point me in the right direction and tell me what is wrong that would be great!

• User logs in with user and password.
• PHP checks user and password against the database.

• If OK, I store the $SESSION["username"]; (There username) to the session.

• On every request/page load I have a function (below) to check the session.

  function check_session_valid(){ if(!isset($_SESSION['username'])||$_SESSION['username'] == ""){ header("Location: /login.php"); } }

Now is this safe or am I doing this all completely wrong?

Here is what I am thinking that the user could do to "hack" the app:

On the registration page, when the user enters there username it will let them know if the username is available.

So could the "hacker" not just find a username that is not available and then write a PHP script to set the $_SESSION["username"] in there browser. Then navigate to the .index.php page and be logged into some other users account?

I am also using "session_start();" before I "check_session_valid();" on every request, is that wrong?

Hope some of you PHP experts out there can help me out here!

Thanks

Answer 1

So could the "hacker" not just find a username that is not available and then write a PHP script to set the $_SESSION["username"] in there browser. Then navigate to the .index.php page and be logged into some other users account?

If a hacker can write code that will run on your server, then yes, this is completely possible.

However, if they can get code onto your server, they can literally do anything. You're completely hosed at that point. (and session security is the least of your worries).

So the question comes, short of a code-injection attack, is it secure?

Well, let's look at the possible attack vectors:

1. Session Hijacking

   If the attacker observes HTTP requests, they can pick a valid user's cookie out of the traffic, and use it to "hijack" their session.

   If you use HTTPS, then this attack is impossible.

   So use HTTPS.

2. Session Fixation

   If you allow URL based session identifiers, an attacker could forge an id and send it to a victim. The victim then logs in, and boom, the attacker has rights.

   You can prevent this in two ways: first, don't allow session identifiers in URLs: session.use_only_cookies

   Second, you should rotate the session identifiers on login (session_regenerate_id())...

Answer 2

I have read your post. You have said that "nothing is secure in PHP scripting " really shock me. let me try to answer your question.

You have said if hacker create a cookie in browser can they hack my session? my answer is no. Lets learn how actually session works.

First, when you start session it will create a file in your server with a random file name and a random serial number (session_id) and it will be store in your browser.

Second, when you will add/edit values into your session using $_SESSON then based on your session_id got from your browser cookie in a file it will be change. you can say session id work as a reference between your browser & your server session file.

So there is no possibility of hacking of session if you do not provider hacker the session_id that remains as a cookie.