2

I'm currently working on a PHP browser based game. I have most of the script done but I'm worried that someone could easily 'hack' the session.

When a user log in and the password is correct, $_SESSION['logged'] will become '1'. The user will be redirected to profile.php .

If $_SESSION['logged'] is equal to '1', the profile will be displayed. However, if $_SESSION['logged'] doesn't exist, the user will be redirected back to index.php.

I'm afraid that the user will be able to hack $_SESSION['logged'].

Also, there is $_SESSION['username']. Most of the time I use $_SESSION['username'] to fetch information from database. If $_SESSION['username'] were changed/hacked, the 'hacker' will than be able to 'become' another 'person'.

I heard about session_regenerate_id and session_id() . However, I'm not sure where to place them.

Thanks,

jacktheking
  • 21
  • 1
  • 2
  • The player, or *client*, cannot change the values from `$_SESSION`. – Francisco Presencia Jun 16 '14 at 04:32
  • 1
    You shouldn't store `$_SESSION['logged']`; you can use token-based authentication instead. – Raptor Jun 16 '14 at 04:32
  • @Raptor I use this way to understand if a user is admin or no, what is other and best way? – Mohammad Kermani Jun 16 '14 at 04:34
  • @scrowler Aren't sessions established and maintained through cookies in most scenarios (absent sending the session id through every POST/GET)? Sessions can be hacked by a man in the middle, but for most people's needs, they're "secure enough". –  Jun 16 '14 at 04:39
  • you should store the "admin or not" settings in DB. – Raptor Jun 16 '14 at 06:29

1 Answers1

3

session_regenerate_id Update the current session id with a newly generated one.This might be useful if, for example, you want to refresh the session ID every 10 minutes or after changing the state of authenticity of a user associated with a session.

and you should know about

and if you want to know more take a look at PHP security

Mohammad Kermani
  • 5,188
  • 7
  • 37
  • 61