login object in session

peterk

I'm quite new to php and would appreciate any security advice to the authentication system (on PHP 4.2.2) i've been working on. Basically because i don't know the php session mechanism well.

When user is succesfully validated against DB the system stores a simple user class instance (validuser, username,fullname) in a session variable:

... Database stuff here ...

$user = new userObjectClass();
$user->setValidUser(1);
$user->setUsername($resultset->username) //Sets the class variable 'username'
$user->setFullname($resultset->fullname) //Set the class variable 'fullname'

... and finally stores the object in a session variable ...
$_SESSION['userobject'] = $user;

On the pages to be secured i have put a call to a function which simply tests if the $_SESSION['userobject']->isvalid is set to 1

How secure is this ? What are the highest risks ? How simple is it to fool this kind of authentication system, steal a session etc. ? Could it somehow be fooled through malicious URL-input like: http:\securesite.com\securepage.php?isvalid=1... (not exactly like that of course...) ?

Thanks in advance,
Peter

planetsim

make a function in that class validate user or something

in it do this

if(session_is_registered("name_of_session") && $_SESSION['name_of_session'] == $name_of_session)
{
//its registered ok.. send them to a function that allows them access to pages
}
else
{
//not registered transfer them to a function that tells them that

Now there will be things you need to change in that function but it should work