1

I'm using the following code for my user login. Everything works fine but im just wondering the security of using this. I'm using the userid as the sessionid when a user logs in.

What are my security issues with using this?

Can the user change the sessionid to a different number and then be logged in as a different user? (how do i stop this?)

if (!empty($row['member_id']))
     {
    $_SESSION['id'] = $row['member_id'];
    header ("Location: team.php");
    exit();

2 Answers2

1

I'm not a security expert by any means.

There was an uproar back in, I want to say, 2010 about session theft. So much so that a group put out a tool called Firesheep that would let you quickly steal other sessions in an open wifi situation. The solution is to protect the entire logged in session with SSL or not be on an open network. Back when SSL was first being used, it proved too slow to be used as a session long security measure, but now computing is fast enough.

TLDR: If you don't SSL, someone can steal your session. Facebook and Google both had the same problem.

For clarification, they can't "steal" sessions so much as they can find out the SESSIONID being passed around in the POST request in order to keep you logged in and then modify their cookies to send that around as you instead. The Firesheep tool could snag Facebook logins in seconds. By modifying the cookie with someone else's SESSIONID, the tool was able to pretend to be the original user, allowing full access to the areas of the account that were unlocked upon login. See also: this.

Another good solution to help things is to reprompt the user during any account sensitive activity regardless of their session. For instance, if they try to change their password or change other account info, make sure to ask for their current password again.

The contents of the $_SESSION server-side are only safe as long as there is no way to submit user data in any way that would eventually end up in the session variable. If someone stole a SESSIONID and then entered data on some form (or if you blindly use the name of the form element as the index into the $_SESSION array) they could get stuff in there. The key is to never ever ever ever ever ever ever ever...EVER....trust what the client side has sent as valid or trustworthy. Paranoia is your friend.

digitlworld
  • 1,046
  • 7
  • 13
0

I think you are mixing up the Session ID (SID) with your own login id, you save in $_SESSION['id'].

Your code is fine. Session data is saved on the server and cannot be manipulated by the client directly. So he cannot change the value of $_SESSION['id'] (btw: I suggest to use a more unique key name like 'login_id').

Talking about the real Session ID (SID). The SID is a random string generated by PHP automatically and saved as a cookie on the client’s machine. The client can actually manipulate his SID and so potentially takeover a different session. This is called Session Hijacking and it’s a general problem of using sessions, no special problem of your code. Have a look here for further information: PHP Session Fixation / Hijacking

Community
  • 1
  • 1
DerVO
  • 3,679
  • 1
  • 23
  • 27
  • So without using SSL etc there is not much else i can change in my code to secure this more to make it worth my while? Thanks for your help. –  Jan 24 '12 at 23:31
  • You can and you should follow some advices from the linked answer. At least insert `session_regenerate_id(true)` after you performed the login. This generates a new SID and invalidates the old one. And set your `use_trans_sid` and `use_only_cookies` like described. Furthermore it’s up to you, how much effort you will take. It depends how sensible your login is. – DerVO Jan 24 '12 at 23:44