Basic question about login scripts and variable poisioning

journy101

Ive got a few basic questions about login scripts...

I have looked at a few login scripts where a login page is displayed to the user if they are not logged in, then once submited the logincheck function evaluates weather the user and pass is valid and logs them in.

Questions:

This question is about $_SESSION variables and variable poisoning. MY question is, why register the username and password as session variables, I read this is to prevent poisoning but when I think about it, to poision it the atacker would need a valide username and password so what difernce does it make if he retyped the variable in the GET request he would still need a corect password.

If they would need to have a corect usrrname and password in the first place why do I care if they entered it into a GET later in the day?

if (isset($_GET['passwprd'])){
unset($GET['password']);
return false;
}

if (isset($_SESSION['password'])){
return true; //is logged in
} else {
session_start();
$_SESSION['username'] = $_POST['uname'];
$_SESSION['password'] = $_POST['passwd'];
$return = validateUser($_SESSION['username']);
if ($return == true)
$return = validatePass($_SESSION['password']);
return $return
}

Hawkee

I think what you're trying to avoid is using a variable like $_SESSION[logged_in] = true; By allowing the session to store the username and password, you can check the database to ensure validity. Using a variable like $logged_in is bad because in this case, the user can send a get variable to access pages that he's not validated for.

Just my 2 cents,
- Hawkee

journy101

Half understanding, but still confused..

if I use a logged_in variable with the password and username, but instead of registering username and password as session variables I leave them as $password $username, and register logged_in as a session so they cant put it in a get request, they still need to guess the username and password to log in and gain access to the page right?

so if I am the hacker and send the request

www.mysite.com/index.php?logedin=true&username=eleet&password=12345

wouldent mater what login states password is invalid, even without password as a session variable. why coldent I use password username and logged_in all as standard variables? Without registering them as session.

Can you clefiry.

Hawkee

I think you might be a little confused about the difference between a session variable and a regular variable. A Session variable just allows code from different PHP documents to access a pool of variables. A regular get variable is only accessible through the current page. The reason you want to make sure the username and password are accessible from different PHP documents is for 2 reasons:

So the user doesn't need to enter their username and password for each page.
So when the user requests that something crucial be done like deleting information, we can check the username and password in the session to ensure this user has access to do so.

I hope this helps,
- Hawkee

journy101

Thank you Hawkee makes sence now the purpose of useing session variables and session ids.

I understand now.