1

After I authenticate user login info, i create this session for them:

 $_SESSION['username']= $userName;

Then, I redirect them like this:

header('Location:www.domain.com/profile/' . $_SESSION['username'];

I want my website to have a beauty URL, something like: www.domain.com/profile/userName

Thus, in all my redirect links (HTML <a> tag or PHP header() function), I will use:

"www.domain.com/album/" . $_SESSION['username'];

Are there any security loopholes?

Edit:

Do I need to create session id first using session_id()?

So, to check:

if(!isset($_SESSION['id']){
   //redirect to login page
}
Community
  • 1
  • 1

3 Answers3

1

Normally while using Sessions we also need to be aware of -:

Session Hijacking , Session Fixation

I suggest in your code after user logged in store the username in session variable also store one more unique value such as USER AGENT in a session variable. so that every page the user visit we can check for whether the same USER AGENT and SESSION ID exist this would make it much secure. To make it much more secure do the encryption like MD% on User AGENT so that hackers cant reproduce it.

Quoted from PHP SECURITY GUIDE

<?php

session_start();

if (isset($_SESSION['HTTP_USER_AGENT']))
{
    if ($_SESSION['HTTP_USER_AGENT'] != md5($_SERVER['HTTP_USER_AGENT']))
    {
        /* Prompt for password */
        exit;
    }
}
else
{
    $_SESSION['HTTP_USER_AGENT'] = md5($_SERVER['HTTP_USER_AGENT']);
}

?>

Refer :
PHP Security Guide on Session
Another Thread on Session security

Community
  • 1
  • 1
Webrsk
  • 1,014
  • 2
  • 15
  • 24
0

What are you protecting? What are you doing to verify that they have authorization? Are you protecting their profile and verifying that they have authorization because they have the session key? You don't ever mention checking that they have a session variable.

You won't even need to know the session ID. That is immaterial to storing whether the user has gotten authentication, that's just the mechanism which indicates what session information they should be using.

When the user logs in, you want to store something like 

$_SESSION['authed_user'] = true;

And then, on subsequent attempts to edit information you do:

if ($_SESSION['authed_user']) {
  // do something authed users can do
}

And naturally, you'll really probably want some sort of levels of authorization. I recommend you consider using something like SimpleAuth...

cgp
  • 41,026
  • 12
  • 101
  • 131
  • yes, protecting their profile. For eg, protect from third user to edit their profile etc –  May 01 '09 at 18:46
0

You need authorization on the page that allows user to edit their profile. If they'll be editing on the http://www.domain.com/profile/[username] page then you need to check if their $_SESSION['username'] is equal to the profile page they are on.

Otherwise anyone would be able to type in the URL (basically guess a profile number or name) and edit it.

But yes, you should first check if they've logged in AT ALL:

if (IsSet($_SESSION['username'])) {
// Logged in
} else {
// Not logged in
}
Travis
  • 12,001
  • 8
  • 39
  • 52