|
|
Posted by R. Rajesh Jeba Anbiah on 01/18/08 13:43
On Jan 17, 3:32 pm, p...@impulzief.nl wrote:
> Dear All,
>
> What I was wondering is how safe it is to store user_id or username or
> anything like that in session. I usualy store a bunch of info in a
> session so I do not need to search the database all the time. However,
> is it easy to change a value after being logged in?
>
> For example:
> - A user logs in
> - Now set is: $_SESSION["user_id"] = 34;
> - If he opens his "Profile page", the websites collects all personal
> information from table users where user_id = 34
>
> But according to this article:http://www.governmentsecurity.org/archive/t13901.html
>
> It is easy to change $_SESSION["user_id"] to for example 78.
> So, that means that once you are logged in and change your own
> user_id, you can see personal information from other users.
>
> Is this really possible? If so, I can imagine I would use a temporary
> table with temporary hashes where user_ids will be stored next to a
> temporary hash. However, this is much more work and database traffic
> which will slow down the system dramatically.
>
> So... Is $_SESSION["user_id"] = 34 safe enough?
1. Client machine's cookie will contain only the session id--not
the data. So, directly accessing the session values by just looking at
the cookie won't help
2. But, can fix the session id by stuffing to cookie. This way,
someone can use some other user's session id and can access to the
page--only if the default session handlers is used. Solution is to use
DB based session handler
3. If the files handler is used, one can access to the session
files (on shared host). So, for all shared host the solution is DB
based session handler
--
<?php echo 'Just another PHP saint'; ?>
Email: rrjanbiah-at-Y!com Blog: http://rajeshanbiah.blogspot.com/
[Back to original message]
|