sessions - safe for this use ?

beef-

i have a site (its in dev. right now, not up 😛) and anyways, im using sessions to store username, pass(md5'd), and level, along with some other stuff. Im not 100% sure, but is it safe to have the level just there ? is there a way i can secure it or something ?
Because if the user can change his level, he can access stuff he really shouldnt be able to access

jabba_29

Hi,

First off, I wouldn't really store password in session, even if it is md5'd.

I have seen many posts in other forums about session security and hijacking, but one thing to remember is that the session is usually stored in a tmp dir that is outside your web directory - that means inaccessible to the outside world.

This means that the session can only be hijacked if the server if hacked.

You could md5 the level too I suppose so that the hacker wouldn't know what information was actually stored in the session.

It is really up to you to decide how critical information is and what damage a hacker could do with the information per level.

For added security you could ensure that the session is only accessible from one IP:

$_SERVER['REMOTE_ADDR']

Hope this helps.
There are tonnes of threads on Devshed

Jamie

PHPGuru_2700

Even With what you said you can access sessions by typing in the session id without hacking, sessions just arnt safe for that kind of stuff, use cookies or pass a variable from page to page like this

<A HREF="blah.php<?print("?username=$username&password=$password");?>">Blah</A>

blah.php

<?
$username = $_GET["username"];
$password = $_GET["password"];
?>

beef-

Originally posted by jabba_29
Hi,

First off, I wouldn't really store password in session, even if it is md5'd.

why not? if the user has access to his own md5'd pass, whats the hurt. sure if its like a library thats such a good thing, but the logout uses session_unset and destroy. BTW, i am thinking on doing the ip thing below.

I have seen many posts in other forums about session security and hijacking, but one thing to remember is that the session is usually stored in a tmp dir that is outside your web directory - that means inaccessible to the outside world.

This means that the session can only be hijacked if the server if hacked.

Its not my personal server, its my hosts, so its probably setup better than i culd set up a server 😛 i barely have ftp access to MY webdir, hell sometimes that doesnt even work

You could md5 the level too I suppose so that the hacker wouldn't know what information was actually stored in the session.

I could, but this website is sort of like an intranet, its ment for a specific local group (computer club actually 😛), and if they compare url's and see that moe, the admin has this string at the end, you never know...

Do you know of anything i can apply to the level, that will make it md5'd and yet safe ? it would have to change, but how ? hey, maybe the date ? im not sure, but you seem much, much better than me at php.

It is really up to you to decide how critical information is and what damage a hacker could do with the information per level.

For added security you could ensure that the session is only accessible from one IP:
$_SERVER['REMOTE_ADDR']
------
so like make a thing in the cookie that has the ip md5'd ?

Hope this helps.
There are tonnes of threads on Devshed

Br

Jamie [/B]

Thanks alot, i hope you reply

jabba_29

I could, but this website is sort of like an intranet, its ment for a specific local group (computer club actually 😛), and if they compare url's and see that moe, the admin has this string at the end, you never know...
Do you know of anything i can apply to the level, that will make it md5'd and yet safe ? it would have to change, but how ? hey, maybe the date ? im not sure, but you seem much, much better than me at php.

In repsonse to this, if you were to get the extra level of the string only accesible though post as opposed to get method and validated that this is the method (an referring page), then it would be pretty safe I think.

I am by no means an expert on this, and trying to learn more about session security at the moment.

so like make a thing in the cookie that has the ip md5'd ?

- no, you wouldn't need to it as I think it is quite a big task to spoof an IP address (though I could be wrong) 😕

Hope this helps.

Jamie

planetsim

well sessions are good to a certain extent.. I use sessions for like admins, making sure people must login to get into an admin page. Cookies can be good in that situation but what if the person is on a remote computer and has used it with cookies. People can access that information..

Thats why i see a firm line between sessions and cookies. If the area is of importance id use both sessions and cookies...

But if its like a forum.. id go with cookies..

Another thing about sessions...

Theres 1 thing i was told when registering sessions and thats never store users information.. Maybe there username thats it, but never passwords, email, etc..

Although they will not know that they are stored. Smart Smart people can hack that. Or even worse session hijacking can occur