1

Can someone fake a $_SESSION variable? is it safe to just store a few variables using $_SESSION to determine if the user is logged in AND which user id he/she has? Could someone try to impersonate someone else through hacking session IDs?

I am retrieving a hashed password from the db and then I store a session to determine if user is logged in:

// Check username or email
$data = mysql_query("SELECT * FROM Users WHERE Username = '$username' OR Email = '$username'");
$num_rows = mysql_num_rows($data);
if($num_rows <= 0){ // Does username exist??
        // ERROR MESSAGES
        echo '<div class="error_messages";>';
        echo 'Login combination is incorrect.';
        echo '</div>';            
}else{ // It exists, now checks password
    while($row = mysql_fetch_array( $data )) {
        $username_id = $row['id'];
        $existingHashFromDb = $row['Password']; // Hash from db
        $first_name = $row['FirstName'];
    }

    $isPasswordCorrect = password_verify($password, $existingHashFromDb);

    if ( $isPasswordCorrect){ // Password is correct, user has logged in successfully!!
        // Create a session saying that we are logged in
        // And another session to store user's id
        $_SESSION['loggedIn'] = true;
        $_SESSION['userId'] = $username_id;

        echo '<div class="success_messages";>';
        echo 'Welcome back, ' . $first_name . '!';
        echo '</div>';                
    }else{
        echo '<div class="error_messages";>';
        echo 'Login combination is incorrect.';
        echo '</div>';                   
    }

Then I would simply check who is logged in by using this function:

//checks if the user is logged in with the cookie on the browser, it returns 1 if logged, otherwise returns 0
function checkslogged()
{
    if (isset($_SESSION['loggedin']) && $_SESSION['loggedin'] == true) {
        return 1;
    }else return 0;
}

Is this the best approach?

Luis Cruz
  • 1,488
  • 3
  • 22
  • 50
  • Yes, `$_SESSION` data is maintained by the server. [Your SQL code might not be safe though.](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) Also, [`mysql_` functions are obsolete.](https://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php) – Alexander O'Mara Apr 15 '17 at 06:34
  • Possible duplicate of [How safe are PHP session variables?](http://stackoverflow.com/questions/1181105/how-safe-are-php-session-variables) – Alexander O'Mara Apr 15 '17 at 06:37
  • Like Alexander said, please, PLEASE read up on prepared statements or at the very least use mysql_real_escape_string() before dumping your variables in the query string. The way you're doing things is really insecure. – Hissvard Apr 15 '17 at 06:43
  • Didn't know that, thank you!! I will check mysql_real_escape_string() and prepare. – Luis Cruz Apr 15 '17 at 07:50

2 Answers2

1

Sessions are more secure than cookies. It is not possible to hack session ids in php. It is a perfect way to check which user is logged in.

Danny
  • 444
  • 4
  • 19
1

A nicer approach to the problem is posing a different question. Instead of "is my context secure enough?", ask yourself "is my solution safe even in a non-secure context?". For example, on user login you could generate a random token and assign it to the client, whilst storing it in your DB. Every further action would then require the user to pass you his token, in order to guarantee the authenticity of the request. Usually this is done by putting it in the header data of the requests, or in the $_SESSION superglobal array (The latter is the solution adopted by the Session Helper of Codeigniter, the popular PHP MVC Framework)

Loris Topa
  • 91
  • 2