1

I'm designing a web based php reporting system. It involves multiple pages that insert and update to a mysql server. Basically, I want someone to be able to log on, start a report, then go through a fairly long reporting process step by step. Before they were simply filling out excel spreadsheets. I've basically set up a $_SESSION[$var] = (the auto increment ID) of the score table.

$returnQuery = "Select AssessmentID FROM opsassessment.assessmentscores WHERE Date    =    '$Date' AND InspectorID = '$inspectorResult2[0]'
                            AND PlantAssistID = '$assistResult2[0]' AND Plant = '$plantResult2[0]'";

                $return = mysql_query ($returnQuery);
                $return2 = mysql_fetch_row($return);

                $_SESSION["return2"] = $return2[0];
                echo "The ID for this session is: " . $_SESSION["return2"];

I then assign the session variable to a variable within each page. Then use that variable to update the assessmentscores table with data from several checkboxes. I have two questions about this:

  1. Is there a "better" way of doing this? vague I know. While the system does work I have a suspiscion that there is an easier or more traditional way of doing it.

  2. How much of a security risk am I running my using session? Note: this is a closed off network so no one outside the company should be able to acccess the webpages unless the network is already hacked. Also, I've implemented SQL injection prevention such as stripping HTML and special characters.

Any comments and/or feedback would be appreciated.

Sedaition
  • 61
  • 6

2 Answers2

1

The session data is as secure as your server is. None of the data stored IN the session is every physically transmitted to the user, unless you chose to do so.

The only session-related data that every is (or SHOULD be) transmitted to the user is the ID of the session.

However, storing the ID number in the session can be problematic. Consider the case where a user starts two reports at roughly the same time. Whichever report is started last will overwrite the ID number of the first report, and now all operations in both windows affect report #2.

Marc B
  • 356,200
  • 43
  • 426
  • 500
  • I see your point, but shouldn't be a problem. Each user might do one or two reports a year(they're inspections of large manufacturing plants). Just out of curiousity how would you build so that two windows didn't lead to this problem? – Sedaition Jul 07 '11 at 19:28
  • 1
    Instead of storing the number in the session. store it in hidden field values, pass it in the URL, etc... Or simply have your "start a new report" script check if another report is already open and disallow a new one. – Marc B Jul 07 '11 at 19:33
  • Good Stuff. Makes sense and going to implement – Sedaition Jul 07 '11 at 19:38
0

Sessions were meant to do EXACTLY what you are doing.

And they are safer then the other options, because their storage is server-side (opposed to cookie storage), so the only way someone can access the sessions is if they have access to the webserver's session directory, and if that happens you have bigger problems to worry about.

It is possible to steal a session, but the attacker would need the user's session cookie.

But keep doing like you are doing, store the row's primary ID to prevent extra queries, it is the way it should be done (I would use the $_SESSION variable directly, instead of copying it to another var)

More on session security on SO:

PHP Session Security

Security of $_SESSION array

Community
  • 1
  • 1
Vinicius Kamakura
  • 7,665
  • 1
  • 29
  • 43