Session Security?

Question

Is it secure to use

If ($_SESSION['authenticated'] == true) {
    /////Show secure page
}

Can someone just go and change where the session variable is stored to make their $_SESSION['autheticated'] = to true?

Same thing with a user having $_SESSION['id'] = to their index id. How would I be able to make this securer? Could someone just go and change the id value and impersonate another user?

Would the below method be the right way to make something securer?

$_SESSION['random_check'] = (random number) 

and also store this in a column in my database and each time I would

If ($_SESSION['authenticated'] == true &&  $_SESSION['random_check'] == random_number ) {
/////Then show secure page
}

Thanks,

Answer 1

I'm pretty sure Session in most hosting is just an interface to your filesystem, i.e. all Session data is stored in the server's hard disk, if you look at phpinfo() output, you can have a look at where the actual path of Session data is.

With that said, unless you chmod your session path to 777 and the attacker happens to know where you are hosting your app and has the login, then I don't think it's much of an issue.

The bigger issue here is securing your cookie as it's the piece of information that's going back and forth through your server and client, which attackers can use to impersonate legit users.

Answer 2

Yes,Is it secure to use. I use this. I do this: -check login,if is an valid login , set $_SESSION['logged'] = 'yes' and generate um token $_SESSION['token'] = 'the token' this token, I save in an input html element and check in each action. something like:

<?php

    class token {



        public function generateToken() {

            return $_SESSION['token'] = md5( microtime() );

        }



        function generateField($name = "token"){

            return  "<input type='hidden' value='{$_SESSION['token']}' name='{$name}'>";

        }



        public function getToken() {

            return $_SESSION['token'];

        }



        public function getTokenFromFields($method = "GET") {

            return strtoupper($method) == "GET" ? $_GET['token'] : $_POST['token'];

        }



        public function checkToken() {

            return $this -> getToken() == $this -> getTokenFromFields();

        }

        public function updateToken() {
            $_SESSION['token'] = md5( microtime() );
        }

    }



?>

<?php
//orther file
require 'class.token.php'; 
$token = new token();
$Atoken = $token -> generateToken();
echo "<script>

        var data = {}; 

        data['token'] = '{$Atoken}'; 

        data['foo'] = 'baa'; 
    </script>";
$token -> generateField();
?> 

<script>
$.ajax({type:"GET", url:"process.php", "data=foo=baa&token=" + data.token, success:function(response) { } })
</script>

In process.php:

<?php
if($_SESSION['token'] == $_GET['token']) {
//do something 
} else die('bad token'); 
?>