0

currently i am starting a session as follows:

if ($hasher->CheckPassword($password, $hash)) { //$hash is the hash retrieved from the DB 
        $what = 'Authentication succeeded';
            $_SESSION['username']=$_POST['username'];
         header('Location: securedpage1.php');
    } else {
        $what = 'Authentication failed';
        echo "Incorrect Password";
        include 'login.php';
        exit();

    }

as you can see i am wondering if $_SESSION['username']=$_POST['username']; is the best way to start a session or if there are better practices

Thank you for any responses!

neeko
  • 1,930
  • 8
  • 44
  • 67
  • 2
    I'd retrieve the user's ID and store it in the session instead. I like my session data to be known to be sane, and a valid ID is an example. – Kos Sep 07 '12 at 12:56
  • thankyou for your reply, could you explain how i would retrieve the users id and store it in the session? – neeko Sep 07 '12 at 12:59
  • What is a "secure session" and why do you consider your current session insecure? – zerkms Sep 07 '12 at 13:03
  • Nope, I'd need to know your application. I assumed you have a database backend and assign an unique (usu. numeric) ID to each registered user, which is a common set-up. If you don't use IDs, then the username is OK too, as long as you make sure that it corresponds to an actual user. – Kos Sep 07 '12 at 13:03
  • @zerkms sorry i think secure session was the wrong terminology, i meant what is the best practice to start a session or is the method i have used to sufficient? I am looking for a basic level of protection to try and prevent session hijacking – neeko Sep 07 '12 at 13:05
  • @Kos yes i have a database backend with a unique numeric ID to each user – neeko Sep 07 '12 at 13:06
  • Well, one thing you can do to *slightly* improve session security is tie it to an IP address, and invalidate any session accessed by a different IP other than the IP that created it... – Mansfield Sep 07 '12 at 13:06
  • @Neil Kumar: "what is the best practice to start a session" --- `session_start();` – zerkms Sep 07 '12 at 13:07
  • 2
    **PLEASE** make the message just say that the username/password combination is incorrect (or words to that effect). Otherwise a hacker at least knows that the username is correct. – Ed Heal Sep 07 '12 at 13:11
  • @zerkms as you can tell i am new to this, what i really meant was how can i slightly improve my security when involving sessions, was wondering if anyone can give me some pointers with examples. I will look in to tieing an ip address to each session, but i am unsure of how to go about this – neeko Sep 07 '12 at 13:13
  • @EdHeal thankyou that is a very good point! – neeko Sep 07 '12 at 13:14
  • @Neil Kumar: the truth is - if you ask such questions - your application will be full of vulnerabilities. – zerkms Sep 07 '12 at 13:14
  • @zerkms yes i understand, this is why i am asking to learn and improve my application, this is my first attempt at learning php, thank you for your responses i will take them on board – neeko Sep 07 '12 at 13:16

3 Answers3

2

You could roll your own session handler using a database as the storage point rather than the filesystem. This has several security advantages, as on a shared host, for instance, session data stored in the filesystem could be compromised. As I mentioned in my comment, you could also store the "source" IP address in this way and tie it to the session, and invalidate any sessions accessed from an IP other than the original one.

This article explains in great detail: http://shiflett.org/articles/storing-sessions-in-a-database

Mansfield
  • 14,445
  • 18
  • 76
  • 112
  • thank you for your response, this is what i was looking for, i apologise for my lack of proper terminology! – neeko Sep 07 '12 at 13:19
1

$_SESSION['username']=$_POST['username']; doesn't actually start a session, session_start() does. So your question is misplaced.

There's nothing inherently wrong with that line of code.

If you would like to know some information about writing secure session code, this isn't a bad place to start: http://phpmaster.com/php-sessions/

Two security keywords you can search for are "session fixation" and "session hijacking". Two other common security problems are XSS attacks and CSRF attacks.

There are also heaps of previous questions for this subject already on stackoverflow, you should search. For instance.

Community
  • 1
  • 1
Ivo
  • 5,378
  • 2
  • 18
  • 18
  • thankyou, again i apologise for not correctly stating the question, this will help me out a lot! much appreciated – neeko Sep 07 '12 at 13:21
0

It's not shown in the example, but I presume a session_start() is in your code somewhere? You can learn more about session start here: PHP Manual: Session Start

Mike Mackintosh
  • 13,917
  • 6
  • 60
  • 87
edward ingram
  • 51
  • 3