Verifying users by setting up several session vars, is it a security risk?!

Bijan

I have to write a CMS that does something! I also have to make a user accounts area for the super user to add users and also define their permissions in using different parts of the control panel.

If it's a normal verification script, looking up the username & password in a database, I could write it in an include file and include it in all my pages. But what I have in here is really different, I don't wana check for the user permissions in all the pages. In order to get around it, I came up with this:

I check the username & password in the first page of the control panel, if it's valid, I set up a session variable with the value of "true", and then I make an array that contains the permissions that the user have, like Editing, Adding and etc.
So, in the other pages, I just check if that first session variable is true, and if yes, I lookup the permissions array and if he/she has correct permissions to use my page, I'll allow him/her to do so.

So, what do you think? Instead of checking for the username & passwords in all the pages, I'm just doing it in one page. Is there any security hole in this?! Can anyone fake a session variable?

douceur

If the session id is contained in a link to an external page, it can very easily be hijacked. One thing to do, is to store the ip of the user, and match it to the id. So if somebody tries to use his session id, they must have the same ip to access the page. Another way is to store things such as the user's browser, etc, and check to make sure they match on every page.

matt_4013

There's really no way to make it 100% secure. You can check the IP, but that's only being sent by HTTP headers, so it's pretty damn easy to spoof. Basically, as long as you keep your Session ID secure enough (ie, don't pass it through the url), and maybe do some matching like doucer said, then you make it pretty damn hard on whoever's cracking their way in! If security is really that important though, I would suggest using your standard sessions, over a Secure connection using SSL.

Bijan

Thank you guys, you really helped a lot. Just one more question, I'm new to PHP and I don't know how I can make sure that the session ID isn't sent via the browser. May you gimme a hand for this too?!

douceur

The session id must be sent to & from the browser for it to work right. The only way to make it truly secure is to use SSL.

Bijan

Originally posted by douceur
If the session id is contained in a link to an external page, it can very easily be hijacked. One thing to do, is to store the ip of the user, and match it to the id. So if somebody tries to use his session id, they must have the same ip to access the page. Another way is to store things such as the user's browser, etc, and check to make sure they match on every page.

I know that it's a little bit late, but now that I'm somehow finished with my CMS and I have to go through the username/password area, I wana recollect somethings from the past! Well, by saying storing the ip, you mean I store it in my db and then in each page I read the db and get the IP and match it with the current IP. It's not that I store the ip in a session variable too?! I know it's damn clear, but just out of curosity. I can not store it in sessions, because if it's hijacked, then the ip is hijacked too, right?

douceur

Yes, you are correct. Just remember that this is not entirely safe, either... It just helps.

Bijan

Yeah, thanks, but you know, I don't know ANYTHING about SSL, so, it's the safest way I persume!

Edit:Now that I said it, let's go against the rules and ask a new question in this old thread! Are there any books or something that you suggest for learning that SSL thingie?! I most like it to be in PDF format or something that I can download (via the Internet of course!)

douceur

I don't know anything about SSL myself, so I can't help you. Sorry.

Bijan

Ok, that's fine. Thanks for your helps anyway.