Session Security Issue

alirezaok

i have a page that user put his username and password. then my script checks his username and password form database. if it is correct then my script saves them in session:

$_SESSION['username']=$username;
$_SESSION['password']=$password;

after this job. users redirects to another page. in this page script reads $SESSION['username'] and $SESSION['password'] if it is correct from database then showes the content of page.
all other pages that linked from this page doing same this page too.

i have a question. is there any security risk in this alguritm? does any hacker can see session of user and password in /tmp directory and can simulator his as same this session? if yes what do i do? (i am using of shared hosting)

thanks

NogDog

I would not save the password as a session variable. Once you have confirmed a user's login, just save the user name in $SESSION. To see if a user is logged in, all you need to do then is check to see if $SESSION['username'] is not empty:

<?php
session_start();
if(empty($_SESSION['username']))
{
   // go to login process
   exit;
}
// display page
?>

alirezaok

is it possible maybe one hacker can create his username's session. then there is a username and he can attack.

but when username and password are in session and they are checks from database and if one hacker can create his username and password but they are not correct from database and hacker can not attack.

is this idea correct?

NogDog

If a hacker has enough access to view the user names in your session data directory, then he has enough access to view the passwords, too. So by storing the password in the session data, you really don't increase security, but you also add the possibility of a hacker learning your users' passwords, and then being able to log in with them normally without any "hacking" from that point on.

alirezaok

which is easier way for hacker to hack:

1- create a session uasename in /tmp directory manuelly not by use my php code. using of sever hole hack (then he can hack accodding to your php code example)

2- see the username password session and use of my php code to login normaly(then he can hack accodding to my php example)

which is easier for one hacker usually?

NogDog

If you are on a shared server and use the default PHP session directory, it is pretty easy for anyone else with an account on that server to view your session data. In such a case, you may want to look into using a database-driven session data mechanism, or at least specify a different session data directory for your scripts. If you are on a dedicated server, this is much less of an issue, as only someone who has broken your server security (cracking a server login account/password, uploading a malicious script, etc.) would be able to view your session data.

But remember that security is a many-layered problem. If you are dealing with sensitive data, then you should be using a SSL connection on your site to make life harder for network sniffers. You should very carefully control the database users/passwords so that some nasty person is not able to access your database and read the user tables at his leisure, then use brute force scripts to decrypt your users' passwords. Likewise you need to carefully control access to server and FTP logins/passwords. If you don't do these things, how you handle session data may be the least of your worries.