Session Again

Anon

I remember weeks ago I asked about making a login using sessions and md5 phrase. I just came across a question:

To make login using md5, we register 2 session variables $uid, $hashid then on every page we check whether the $hash can be recreated using the $hid. This should avoid people manually typing a different $uid to see other user's info.

My question is, since the $hid was registered into the session, the user should not be able to change its value. So even the user type ?uid=123 in the URL it won't change the session variable $uid. If that's the case then why do we have to use md5() to check the combination everytime?

Since user cannot session_register a session variable, shouldn't it be safe?

Please correct me if I am wrong.

Thanks!

Anon

Yes it should. You only need to pass the sessionid (and then only if you aren't using a cookie or the user has it disabled). Session variables overwrite all other passed variables (GPC). The user shouldn't even be aware of what you call the variable, and even if they did know and tried to set it manually their entry would be overwritten by the session value.

The only way they could actually see another users information would be if that other user had an active session AND they accurately guessed the sessionid. Since php uses an MD5 hash to generate the session id that a 1 in 3.4028236692093846346337460743177e+38 chance that they'll get it.

Not very likely. Still, not 100% secure on an open connection as the session id or the username/password combo could be sniffed, but combined with SSL is about as secure as you can get.