PHP: Privilege Escalation

Question

I have a site with two user classes - Admins and Guests. Expectedly, Admins have accessed to certain features which normal Guests don't. Currently, the user flag (admin/guest) which seperates admins/guests is stored in a cookie in a X:Y format where X is the user flag (1 for admin, 2 for user), and Y is the unique userid of the user in the database.

Privilege escalation can be done by changing the "X" in the cookie. Thus, I'm wondering if there are any ways to prevent this from happening? Ty!

6

Use PHP sessions instead? – jordanm Nov 30 '12 at 00:10

score 6 · Answer 1 · answered Nov 30 '12 at 00:15

6

Don't store the permissions on the client. Store the information needed to authenticate the user (generally speaking, this means a session id). Keep all the data needed for handling authorization levels on the server.

answered Nov 30 '12 at 00:15

Quentin

914,110
126
1,211
1,335

score 2 · Answer 2 · answered Nov 30 '12 at 00:21

You should store the role of the user (admin/guest) in the database, and put it in the session on login.

Somethig like this:

$authUser = authenticateUser($email, $password);
//if authentication successful :
$_SESSION['role'] = $authUser['role'];

Then you can check the right like this:

function isAdmin() {
  return $_SESSION['role'] == 'admin';
}

score 2 · Accepted Answer · answered Nov 30 '12 at 00:31

Your method is subject to multiple security vulnerabilities: it allows anyone to gain admin access AND it allows intruders (non admin, non-guests) to modify cookie values to mis-identify themselves completely. Building on Quentin and pinouchon's answer, you should use sessions to control user access levels... this will always be safer than storing flags on the clients side. This way the only value stored on the client side is the session ID which you can then use to either grab an existing session value ($_SESSION['privilege_level']) or against a database of user-privileges.

I'm a little reluctant to even post this, but if, for some reason, you absolutely cannot use sessions, at the very least you should avoid sending unencrypted/hashed cookie values. It's nowhere near as secure as using sessions, but you could store something like X:Y:Z , where x is the encrypted userID, Y is the encrypted permission flag, and Z is a monstrous salted hash that includes X,Y,User Agent, IP, etc. Then re-create the hash whenever the user does something and make sure that it matches the hash in the cookie (this will make it a little harder for someone to take over someone else's role, and it will make it harder for a user to manually alter their role.

Thanks Ben. Unfortunately, i don't have access to sessions. What encryption method would you recommend? Additionally, how do I decrypt it so I can retrieve and identify users? Cheers. — user1880717, Dec 05 '12 at 08:12
Best bet is probably to go with `mcrypt`. It's worth reading this [good SO post on PHP encryption and decryption](http://stackoverflow.com/questions/1289061/best-way-to-use-php-to-encrypt-and-decrypt-passwords). — Ben D, Dec 05 '12 at 08:18

PHP: Privilege Escalation

3 Answers3