are $_SESSION[] vars exploitable

Question

I'm developing an admin system for custom CMS. On all my pages which are part of the admin site I use a check_user() function. The check_user() function only does this:

function check_user()
{
    session_start();

    if ($_SESSION['username'] == "admin") {

    } else {
        header("location:admin.php");
    }
}

Though it seems a bit simple, is this enough to keep away unwanted members from the site? How exploitable is $_SESSION[] vars are? Any suggestions to improve this function?

Thanks in advance!

Possible duplicate of [How safe are PHP session variables?](http://stackoverflow.com/questions/1181105/how-safe-are-php-session-variables) — PoX, Apr 13 '16 at 19:56

score 1 · Accepted Answer · answered Apr 13 '16 at 19:02

1

In the given code, $_SESSION is not exploitable IF register_globals is off (which on all latest installs will be off... but just to be sure)

Although depending on how these session parameters are set, it could be exploited. (i.e. using request parameters as keys in the session variable for example)

To improve on this code, i would suggest to always start a session, independent of the check_user call. This enables you to reuse the check_user.

answered Apr 13 '16 at 19:02

Ronald Swets

1,669
10
16

When a user logs in, it get's checked wether the username and password are in the database at the same row. If it is, then $_SESSION['username'] is set to the user's username EG.: as an admin $_SESSION['username'] will be set to "admin". – Narc0t1CYM Apr 13 '16 at 19:05

are $_SESSION[] vars exploitable

1 Answers1