1

I just wonder what are the best practices to secure a restricted page with PHP. It has to be really safe.

I guess using the $_SESSION vars is the normal / most secure way.

Here is what I do to log in :

  • I use a separate sql table with the username and an encrypted password + SALT
  • SALT is randomly generated and stored in the db (is this a good practice?) at the registration
  • I use filter_var and PDO on $_POST login and password to avoid sql injection
  • I check the number of failed logins and set the account inactive after 3 failed attempts
  • I do not use any cookie
  • I use SSL

Here is my code if the login is successful, it looks so simple that I'm wondering if it is secure enough :

<?php

// login + password successful

session_start();
$_SESSION['islogged'] = true;

?>

// on each restricted page

<?php
session_start();

if(!$_SESSION['islogged']){
header('Location: unauthorized.php');
exit;
}

// here start my restricted content

?>

I wonder i.e. if using the header function this way is safe enough and 100% reliable?

For the php session security, I already found this interesting content : What are the risks of PHP sessions?

Is there something else I must be careful of?

Thank you a lot for your suggestions !

Community
  • 1
  • 1
user1719210
  • 310
  • 3
  • 11
  • It does not matter whether you use header function or echoing something, or whatever, since there's an exit/die keyword that will kill the script and prevent any execution of the restricted page furthermore – Royal Bg Oct 30 '14 at 07:58
  • 1
    is this really a PHP question? because it looks like you want a more conceptual answer than specific code. – Robson Oct 30 '14 at 08:05
  • I think that just checking the session variable "islogged" is not enough if you really want something secure. I think you could check on each page if the user has access to that given page by going to the DB, because the session lasts for a configured time on the web server and during that time something might have changed in the permissions, that's why you could check every time if the user has access to that given page – Robson Oct 30 '14 at 08:07
  • *"I check the number of failed logins and set the account inactive after 3 failed attempts"* - Thanks for letting me DoS anyone's account in an instant! (In other words: don't do this. Throttle the attacker and maybe raise some flags, but don't automatically nuke the attacked account after three tries.) – deceze Oct 30 '14 at 08:33
  • 1
    *"I do not use any cookie"* - You are. Sessions need cookies. – deceze Oct 30 '14 at 08:34
  • Thank you a lot for your responses. It was at least a PHP question with some consideration about SESSION and HEADER but every conceptual ideas to improve security for a PHP Restricted Area, is good to know. – user1719210 Oct 30 '14 at 09:55
  • @RobsonFilhoColodeti The fact is only a few users will have an access and there will be only one authorization level so either you can access the page either not. – user1719210 Oct 30 '14 at 09:59
  • @deceze - I wrote a mistake : The exact comportment is not that the account is disabled, the user can't try to log in for xx minutes. – user1719210 Oct 30 '14 at 10:01
  • @deceze so i didn't know i'm using cookies... I'll g**gle it! – user1719210 Oct 30 '14 at 10:04

0 Answers0