2

When someone logs in to my site, they obviously fill out a form with username and password. The form then checks if that exists in the database (the encrypted version of that password of course), and then starts a session with that person's user ID as the session ID.

Is this prone to any kind of spoofing/hijacking/hacking? Is there a safer way to do sessions so that no one can "log into someone elses account" by mistake?

        session_regenerate_id();

        $_SESSION['SESS_MEMBER_ID'] = $uid;
        $_SESSION['SESS_NAME'] = $email;

        session_write_close();
  • possible duplicate of http://stackoverflow.com/questions/1181105/how-safe-are-php-session-variables – Rakesh Shetty May 12 '14 at 04:35
  • @RakeshShetty - I'm more-so interested in my code in particular, since that other one didn't provide any code I have no idea if mine is secure either. –  May 12 '14 at 04:40

1 Answers1

1

Your best option is to check the IP address of the user or their user-agent.

Of course they will have to re-authenticate if their IP address changes. For example if a user on a smartphone leaves their WiFi range and start using their cellular network. I think the security pay off for the minor inconvenience of likely a small percentage of users is worth it.

Ryan Kempt
  • 4,200
  • 6
  • 30
  • 41
  • What about dynamic IPs? I personally don't have one so I don't know how often they change, but surely it's enough to be a nuisance? –  May 12 '14 at 04:39
  • @TedMosby It depends on the ISP, I've seen them change as often as 24-48 hours, most last much longer. Not sure if this is viable, application depending advice I suppose. A re-login may not be the end of the world. – Ryan Kempt May 12 '14 at 04:41
  • How would you suggest I do this btw? Should I just add a new session variable of your IP when you create your session, then on all other pages cross-check against it to make sure it's still the same IP? It makes sense I guess, I'd just like some input on if anyone knows if IPs can change more often than that. –  May 12 '14 at 04:43
  • Ya, on login, add IP address of the user then on each page check w/ something like if (isset($_SESSION['ip']) && strcmp($_SESSION['ip'], $_SERVER['REMOTE_ADDR']) !== 0) die('zomg haxxors'); – Ryan Kempt May 12 '14 at 04:46
  • @RyanKempt would be a good idea generally, but if the person is intentionally trying to hack the site, changing your IP is as easy as a small edit to the MAC address in the router configuration and then a router reset. – khaverim May 12 '14 at 04:46
  • @khaverim Do you think that would actually be a problem though? People would need to go through the hassle of figuring out the user's IP, hiding their IP and making it the victims, making sure the victim has a session, spoofing the session(?), all to gain access. –  May 12 '14 at 04:48
  • @khaverim Good suggestion, encrypt the IP address on the session and check the encrypted current IP address versus the session IP. Use a method that someone won't be able to know the original IP address to spoof. – Ryan Kempt May 12 '14 at 04:48
  • @RyanKempt I appreciate your answer and responses to my questions. I'll begin coding this in now. I'll give it a bit of time before I mark as accepted answer just in case a better solution pops up - I'll mark it later tonight. :) –  May 12 '14 at 04:53