|
|
Posted by Jerry Stuckle on 01/19/08 01:35
R. Rajesh Jeba Anbiah wrote:
> On Jan 17, 3:32 pm, p...@impulzief.nl wrote:
>> Dear All,
>>
>> What I was wondering is how safe it is to store user_id or username or
>> anything like that in session. I usualy store a bunch of info in a
>> session so I do not need to search the database all the time. However,
>> is it easy to change a value after being logged in?
>>
>> For example:
>> - A user logs in
>> - Now set is: $_SESSION["user_id"] = 34;
>> - If he opens his "Profile page", the websites collects all personal
>> information from table users where user_id = 34
>>
>> But according to this article:http://www.governmentsecurity.org/archive/t13901.html
>>
>> It is easy to change $_SESSION["user_id"] to for example 78.
>> So, that means that once you are logged in and change your own
>> user_id, you can see personal information from other users.
>>
>> Is this really possible? If so, I can imagine I would use a temporary
>> table with temporary hashes where user_ids will be stored next to a
>> temporary hash. However, this is much more work and database traffic
>> which will slow down the system dramatically.
>>
>> So... Is $_SESSION["user_id"] = 34 safe enough?
>
> 1. Client machine's cookie will contain only the session id--not
> the data. So, directly accessing the session values by just looking at
> the cookie won't help
> 2. But, can fix the session id by stuffing to cookie. This way,
> someone can use some other user's session id and can access to the
> page--only if the default session handlers is used. Solution is to use
> DB based session handler
A DB based session handler will not solve this problem.
> 3. If the files handler is used, one can access to the session
> files (on shared host). So, for all shared host the solution is DB
> based session handler
>
Not as big of a problem as someone else getting the session ID and
getting access to the user's session. Just getting a user ID from a
session in a file isn't going to do much good. And you shouldn't be
storing passwords in the session, anyway.
You also neglect that if you're on a shared host, chances are you will
not be able to implement db based sessions. At least not without a lot
of work. And if you're on a dedicated or virtual server, no one else
can access the file based sessions, anyway.
DB based sessions add little, if any, security.
> --
> <?php echo 'Just another PHP saint'; ?>
> Email: rrjanbiah-at-Y!com Blog: http://rajeshanbiah.blogspot.com/
>
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================
Navigation:
[Reply to this message]
|