0

Would it be a security risk to set the user id and pass to a session? If so how? The session vars would be in an included file. I understand that this would not allow other users, but I only have one user to log in.

****CONFIG.PHP****
session_start();
$_SESSION['USER'] = 'USERNAME';
$_SESSION['PASS'] = 'PASSWORD';


****LOGIN.PHP****
include ('config.php');
IF ($_SESSION['USER'] == $_POST['USERNAME'] && 
$_SESSION['PASS'] == $_POST['PASSWORD']){
ALLOW ACCESS;
}
Charles
  • 50,943
  • 13
  • 104
  • 142
Cjueden
  • 1,200
  • 2
  • 13
  • 25

5 Answers5

3

If you're using server-side sessions which can't be modified by the end-user anyways, there is no reason to store the password there. It's just another place the password exists on your server. Once you've validated the it is a valid user and the password is correct, you only really need to store their user ID in the session. There's no way they can change it, so you can always trust that it's actually their user ID.

There's always the risk of session hijacking, but that's a different topic.

As for your code, you're misunderstanding sessions. You set those after you've validated the user input.

****CONFIG.PHP****
$username = 'USERNAME';
$password = 'PASSWORD';


****LOGIN.PHP****
include ('config.php');
IF ($username == $_POST['USERNAME'] && $password == $_POST['PASSWORD']){
    session_start();
    $_SESSION['username'] = $username;
}

Then you can just test to see if $_SESSION['username'] is set. If it is, then you know you're logged in.

IF (isset($_SESSION['username'])){
    ALLOW ACCESS;
}
animuson
  • 53,861
  • 28
  • 137
  • 147
2

You should not safe the password in the session. The session-data cannot be manipulated from outside if you do it right, therefore you know the user is legit when the username is set.

TimWolla
  • 31,849
  • 8
  • 63
  • 96
  • How would I validate the user being legit with out a password, the above example would not use a database. – Cjueden Jan 19 '12 at 19:21
  • actually this is not true @TimWolla please read something about session hijacking in php – Harry Jan 19 '12 at 19:22
  • @ChristopherJueden-pytel Then the password should be set in a constant or something similar. The session is not the right place. – TimWolla Jan 19 '12 at 19:26
  • @Harry The only possible attack I could imagine would be CSRF, but that has nothing to do with PHP or anything else. Would you be so kind to give me a link to such information? – TimWolla Jan 19 '12 at 19:30
2

It wouldn't be a security risk, but it would allow ABSOLUTELY NO expansion at all. If you need to allow two users tomorrow, you'll have to re-architecture the login.

And, if you're only allowing one user, why use the session to store the values you're comparing against? You can just do this

Config.php

static class AuthValues
{
   $username = "username";
   $password = "password"
}

And then, in login.php

include ('config.php');
$auth = AuthValues;
IF ($auth::username == $_POST['USERNAME'] && 
$auth:password == $_POST['PASSWORD']){
ALLOW ACCESS;
}
Ayush
  • 41,754
  • 51
  • 164
  • 239
  • ^^ Please be sure u understand what Session means. A session is everytime user specific. There is no real chance two users share a session beside solutions like memcache etc. – Harry Jan 19 '12 at 19:19
  • So other than expansion this would be a fast and safe method of login – Cjueden Jan 19 '12 at 19:20
  • @Harry: I understand that Session is user specific. What I meant was, if two users intend to use it, they both would be forced to use the same username and password, since he is hardcoding the values being assigned to the SESSIOn array. – Ayush Jan 19 '12 at 19:21
  • I was assigning session as an added precaution as this would store the info on the server. if that's correct? – Cjueden Jan 19 '12 at 19:25
  • Even if you assign the values to class member properties, they will still be stored on the server. – Ayush Jan 19 '12 at 19:26
  • It would be a security issue on a shared server. Anyone with access to the server could read the session files externally from the site and extract all the passwords. – Marc B Jan 19 '12 at 19:28
1

Like your script name CONFIG.PHP indicates, the usernames and passwords are configuration data. A session is for storing data belonging to a special user session. A good practice for storing configuration data is to use CONSTANTS, because they cannot be changed by your program, once they are defined.

CONFIG.PHP

define('USER', 'USERNAME');
define('PASS', 'PASSWORD');

LOGIN.PHP

include 'config.php';
IF (USER == $_POST['USERNAME'] && PASS == $_POST['PASSWORD']) {
    session_start();
    $_SESSION['allow_access'] = true;
}

WHATEVER.PHP

session_start();
if (isset($_SESSION['allow_access'])) {
    //ALLOW ACCESS
}
DerVO
  • 3,679
  • 1
  • 23
  • 27
-1

Session injection could possibly steal another users Session and get his/hers password. Even if you are using a salted has instead of cleartext, this ist not really recommentable.

A better way would be to implement a good algorithm, rechecking if the user is valid as often as he does something he needs special permission to do it.

Processing time and things like that should me less important than good security!

Harry

Harry
  • 1,313
  • 3
  • 22
  • 37
  • You can't *retrieve* data from a hijacked session, only use their session. With bad security, it would be possible to *change* their password, but there is no possible way you could actually look at it, because it's never outputted to them anywhere. – animuson Jan 19 '12 at 19:48
  • read fore example this [link](http://stackoverflow.com/questions/487889/how-easy-is-it-to-hijack-session-vars-on-godaddy-php) or one of the first ten results on google "php hijack session". There are many ways and lots of things need to be done for really save session handling. And there are ways to retrieve values. Thanks for downvote. @animuson – Harry Jan 20 '12 at 08:26