0

I’m restricting my administrative panel, to only accept access when a session exist.

When the user login with sucess I store a session like this:

...
$result = $readUser->fetch(PDO::FETCH_ASSOC);
$_SESSION['result'] = $result;

And then in my dashboard.php I see if session exists:

if(!$_SESSION['result'])
{
    header('Location: index.php?restricted=true');
}

If not exists I send user to index.php that is where I havemy login form.

This simple code above its not enough??

But I read now that is important see if the session is valid and if the session exists, check also if the session is valid, and so we must read database to verify that the information of user session are the same as we have in the database.

But, I didnt understand, why and when a session, that exists, can be invalid and how the information of a user session cant be different in database, if he did login and was stored a session with his login?

And the code verifying database will be like this:

if(!$_SESSION['result'])
    {
        header('Location: index.php?restricted=true');
    }

else{
    $userId = $_SESSION['result']['id'];
    $readUser = $pdo->prepare("SELECT * FROM admins where id = :userId"); 
    $readUser->bindValue(":userId", $userId);
    $readUser->execute();   
    if(!$readUser->rowCount() >=1){
        unset($_SESSION['userlogin']);
        header('Location: index.php?resctricted=true');
    }
}
Giacomo1968
  • 25,759
  • 11
  • 71
  • 103
UserX
  • 1,295
  • 7
  • 25
  • 39
  • 1
    I think that advice is coming from someone who is extra paranoid, or doesn't understand the difference between sessions and cookies. – Barmar Jun 07 '14 at 00:05
  • Agreed with barmar. Look into what it takes to hijack a session. – Kai Qing Jun 07 '14 at 00:06
  • Furthermore, if someone can hijack the session, they can change `$_SESSION['result']['id']` to contain an admin's ID. – Barmar Jun 07 '14 at 00:06
  • Also, you need to ask yourself: What is this system? What is the impact of an intrusion? Are you willing to take that risk? Can you recover quickly? Basically, if we are talking about a personal portfolio site, then honestly who cares. Use what you feel comfortable with. But if you are building an e-commerce site, you had better have all bases covered because if you get hacked, your lack of diligence will bite you hard. – Giacomo1968 Jun 07 '14 at 00:10
  • Thanks for your help! Its not for a portfolio but security is not very important, it is not an online store,where trust is critical. But if there is an advantage, even if little, why not make the query to verification into database? – UserX Jun 07 '14 at 00:31
  • @Barmar: Hijacking sessions over unsecured networks is not as hard as it appears. Also, you cannot change a session variable by hijacking the session, all you get is the victim's session ID, all it does it making the server think that you are the victim. Session variables are kept on the server. – Madara's Ghost Jun 07 '14 at 14:03
  • So checking the database doesn't help. He's checking a session variable against the database, which merely confirms that the hijacked session belonged to an admin. – Barmar Jun 07 '14 at 14:36

1 Answers1

1

What I believe (please correct me if I am wrong) is that you are trying to achieve a simple security system.

What you are trying to do is the authorization via a simple SESSION variable ('result') which states if the user has been authenticated or not.

The problem with that simple check is that your session might be intercepted and even altered so your system might be fooled easily. So some suggest to store session variables and id in a database and exchange secret values between your client and your server. But at the end the best way to protect your client-server communication is using an SSL certificate.

Try using a security module like Sentry. I believe it will be easier and you will be better protected and with more features available to manage your security in your app.

Armando Estañol
  • 61
  • 5