0

So, if a login/registration system is created, so that when the user logs in, the user is redirected to another members-only page (member.php), I would store the login information in the user's session.

When the user navigates to the members page, prior to allowing him to see content, I'd want to make sure that the username/password is valid, and the user is validly logged in. How might I ensure that the user is validly logged in when he/she gets to the member's page, to me it seems like using:

if (!isset($_SESSION['username']))
{
    die("You aren't allowed to access this page");
}

would work, however I want to ensure it's secure, and to me, it just doesn't seem secure enough (because if there was some way of spoofing a session, all they'd have to do would be to include any sort of text as the username).

I don't really know, so how would I check whether the user should have access to the page?

Lightness Races in Orbit
  • 378,754
  • 76
  • 643
  • 1,055
Alper
  • 1
  • 12
  • 39
  • 78

3 Answers3

1

Session variables are stored on your server, not on the users computer like a cookie. So the user can't ever modify $_SESSION['username']. The only thing you have to really be wary of with sessions is session hijacking (where a user gets the session id of another logged in user, and uses it to pose as that user)

Paul
  • 139,544
  • 27
  • 275
  • 264
0

A user may spoof a session ID cookie if they know a valid value, but not the session data itself, which is stored on the server.

Thus, they may not just "send you" session data with a certain username.

If they have access to the browser of someone who is logged in, they may be able to steal their SESSID (which is stored on the client), but per-IP sessions can mitigate that somewhat.

Lightness Races in Orbit
  • 378,754
  • 76
  • 643
  • 1,055
  • How do I create a per-IP session? – Alper Aug 20 '11 at 23:58
  • @Jacob: I don't know. It's [not this way automatically](http://stackoverflow.com/questions/2296571/php-session-cookies-fail-with-users-changing-ip/2296717#2296717). You could of course do it manually, by storing `$_SERVER['REMOTE_ADDR']` (or whatever it is) in the session data on login, and checking it for consistency on every request. – Lightness Races in Orbit Aug 21 '11 at 00:01
-1

Put an encrypted password cookie/session var with a salt perhaps, to be checked against the db every now and then.

casraf
  • 21,085
  • 9
  • 56
  • 91
  • Checking "every now and then" doesn't help you when the authentication details have been hijacked in the first place. They're not changing. – Lightness Races in Orbit Aug 20 '11 at 23:56
  • So, would I generate that password each time a new session begins, and store that in the database, or just use the user's encrypted password? And then would I check that against the database on every page? – Alper Aug 20 '11 at 23:57
  • You can make a new salt per IP address if you wanna make sure hijacked cookies aren't usable. Downside is a use can't be logged in at more than one place at once – casraf Aug 21 '11 at 00:00