Session authentication ?

ultranet

I am rewriting a site that requires a normal level of security (i.e. not financial transactions, but user's personal accounts contain details that should be kept personal. - I do not want to get hacked!)

I have rewritten the site using a simple session based authentication structure, i.e:
User fills in form>username and password checked against DB>If successful, session variable of "username" is set.

After that, all pages are simply checked (in a basic isset($_SESSION('username')) type way. If it is not, then the user is re-routed to a login page.

I use a shared server (VPS) so it is hosted amongst other sites. Is this type of security going to be enough, or is it possible someone can hack a way to add a session variable themselves (I've sealed up against SQL injection and cleaned $_GET variables etc).

Any thoughts?

Thanks for your time

calabiyau

I would love to hear any responses to this query as I have recently switchec over from a cookie based log in system to one that does exactly what you have outlined. Can anybody clear up the security concerns with this method? I am pretty new to php sessions and have some concerns.

MarkR

The session can't easily be hijacked or fixed unless you allow / use query strings. I strongly, STRONGLY recommend setting session.use_only_cookies.

Of course if your application has other vulnerabilities (e.g. XSS, CSRF, SQL injection), these might enable a session hijack anyway.

On a shared server, nothing is certain, you are entirely at the mercy of the other application authors (and their competence/ diligence) anyway.

Mark