Safety using sessions

Anon

Hi!
I'm new to php, so maybe this is a stupid question, but please help me out somebody!

I've been working on a system where I use password protection.

If username and password is correct, I use
session_register("username") ...etc.
On every page that I want to be protected I check if(session_is_registered("username")) and give the user access if true.

On logout I destroy the session.

Everything seems to be working very well, but I want to be sure if this is safe?
How safe is it?
What kind of problems could I get?
How can I solve it?

Your friend,
Kristian Blom

Anon

Well,

Every security can be broken. Sessions are certainly more secure than cookies, yet if you want best security -> go with OpenSSl...

mrblom

Thanks!

How can I break security that use sessions? Do you need to be a rocket scientist, or can everybody do it in their sleep?

Kristian

Anon

Well,

You can get information that clients will be sending or server will be sending by intercepting packets. However, people would do it only if your information is really valuable... For example, never buy anything from the site that doesn't use SSL -> credit card numbers, passwords can be intercepted. In 1996 two dudes figured out how to break Netscape's encryption while data is sent.

Good book on security is Linux Hacking Exposed. It is full of useful info. Plus if you search google -> you'll get ton of security tutorials.

If your site will be visited by average Joes then I wouldn't worry much about it. Of course, once again, it depends on what kind of information you provide.

mrblom

Thanks a lot again!
My visitors are certainly not hackers, so I don't think I will have any problems.

Thanks again!