$_SESSION: security

mccwd

Greetings,
I am making a web portal that uses username and password to login but also has different levels of user permissions, i figured the easiest way to ensure pages are only viewed by users that are logged in and of the right permission is to use $Session vars to store 2 variables:
$SESSION['logged_on'] =[true][false]
$_SESSION['perm']=[user][exec][admin]

my question is:
if i enclude the blow code in each page to ensure user is logged in and has the right permissions, is it secure.

code:

<?PHP
session_start();
if ($_SESSION['logged_on']==true && $_SESSION['perm']=='admin')
{
     //page content only viewable to admin class users
}
?>

is this system of user tracking and autorization secure, ie cant easily be tampered with to allow a 'user' level user from accessing an admin only section.

thank you in advance

ps the session vars are created after login through validation

ClarkF1

I'd never just used true and false and the admin level in sessions.

I'd store the username and hashed password in the session variables and write a function that checks the username and password in the database with those in the session variables and return the permission level.

MarkR

Yes, session variables should be secure (assuming they're set in a secure fashion).

One problem arising could be that the authorisation is essentially done just once at logon, then the user can continue to use the site indefinitely (until their session or cookies expire).

So for this reason you might feel that it's prudent to look the user up in the database on every hit to ensure that they're still authorised.

In that case, you wouldn't really need to use sessions at all, you can store some unguessable token in a cookie and use that to find the user in the database. I always change this token as soon as any authorisation change happens (user permissions change, password change etc), so as to cause any existing sessions to become invalid.

Mark

Xenon_Design

I hardly use seeions at all but the PHPSESSID parameter. I use that in conjunction with a database record to see who's logged in.

Basically instead of storing the login data anywhere on the client you basically get the PHPSESSID and make it a key field in a db. You then can have things as is_admin as a field.

That way theres no client side information avaliable for haxing. Ive developed an awsome login system using the unique PHPSESSID and its extreemly secure.

MarkR

Using the session ID in a query string is basically flawed; it opens your site to session fixation and other session hijack attacks.

Don't do it if you care about security.

Remember:

ini_set('sessions.use_only_cookies', true);

Mark

thewump

I'm working on something similar and found this recent thread by SEARCHING so will tag onto it.

Would the authenticate once, then track by session security method be strengthened by creating

$_SESSION['ip'] = current users IP

at login authentication and then each time the script is loaded compare current IP _session['ip']

It would avoid someone trying to create fake cookies with either randomly created session IDs, or stop someone from hijacking a session if they find out the session ID.

Keith

MarkR

Session fixations attacks are difficult if session.use_only_cookies is enabled, because the attacker would need to inject their own cookie as if it came from your site; this is normally only possible if your site has a XSS vulnerability.

Putting the user's IP address in the session is a VERY bad idea as a significant proportion of real users are behind multihomed / load balanced proxies which means their IP address changes during the session.

Mark