2

When an user creates an account, he is given an user id from the database that is unique and auto-incremented. So the first user has the user id of 1, the second user created has the user id of 2, and so on. I'm using PHP sessions to store the user id when they are signed in so that they stayed signed in. After reading several articles, I get the point that you never want PHP sessions to be as vulnerable as I have made it (It's easy for a hacker to determine what the php session user id is of each user. So my question is, If I was to use md5 or blowfish based on their unique username to generate an user id for each user, will that make PHP sessions secure?

Sven
  • 69,403
  • 10
  • 107
  • 109
thank_you
  • 11,001
  • 19
  • 101
  • 185
  • 3
    PHP sessions generate their own IDs and everything for you. There is nothing you need to do on top of that. If you are simply storing the ID in session data, there is no problem. If you are overriding the default session ID, that is a different story... and a huge problem. – Brad Oct 03 '12 at 17:51
  • I'm storing an id grabbed from the database associated with that user into the session. So `$session['user_id']` references the user id grabbed from the database. – thank_you Oct 03 '12 at 17:53
  • Then, there is no problem with your implementation. – Brad Oct 03 '12 at 17:54
  • Awesome thanks. Would I ever have to worry about that data being displayed over the website such as in a photo name or url? – thank_you Oct 03 '12 at 17:57
  • Session IDs are shared with the client... this is a basic requirement for the system to work. The data stored in the session is kept server side. This is generally sufficient. If you need to do anything important, use HTTPS. – Brad Oct 03 '12 at 17:59
  • 2
    Make sure your PHP server is running the Suhosin patch. This patch adds a number of security features to PHP, and should be considered compulsory for any production PHP site. One of the things it does is automatically encrypt all PHP session data. Your PHP code doesn't need to do anything different, but your session data is secure from hacks on the server. (Suhosin adds a bunch of other stuff too, all good stuff, but that's the one that's relevant to the question) – Spudley Oct 03 '12 at 18:09
  • Sweet, thanks for that. I'll make sure I'll look out for that when I get a server. – thank_you Oct 03 '12 at 18:12

1 Answers1

1

A good approach would always be to at the login screen and immediately post login to force a new session id generated using random numbers

session_start();
$newsessid = somerandomnumberfunction();
session_id($newsessid);

you can also use session_regenerate_id() function to generate a new id

session_start();
session_regenerate_id();

Good Read

PHP Session Security

PHP Security Guide: Sessions

Community
  • 1
  • 1
Database_Query
  • 626
  • 4
  • 14
  • 1
    Although this not directly answer my question and since then it has been solved in the comments, I'll give you credit the answer. Plus I think my question was a little ambiguous so your answer would make sense if you read it the way I think you read it. – thank_you Oct 03 '12 at 19:47