Is this php secure - sessions

[aaron118]

I use the following code to see if a user is authorized to view the current page:

PHP Code:

session_start();
$uid = $_SESSION['uid'];
$username = $_SESSION['username'];
$userpass = $_SESSION['userpass'];
$firstname = $_SESSION['firstname'];
$lastname = $_SESSION['lastname'];

// Check to see if the session varibles are correct
if(!empty($uid) & !empty($username) & !empty($userpass) & !empty($firstname) & !empty($lastname)) {
//page content
} else {
// not logged in
} 


I use various other security checks within my script such as checking against the database. But to display a basic page is the above good enough, obviously I only set the above sessions once the username and password have been checked against the database.

Thanks

[WLHosting]

I would not store your user password in a session.
What I would do is store the session ID in a session variable along with your first and last name. Then use the session ID to authenticate the user in the database for future authentication. Remember it would be best also after initial authentication to generate a new session ID with session_regenerate_id().

[aaron118]

Should I generate a new session ID on every page? Also is storing a password in a session really a problem?

Thanks

[voodoomagic]

not really unless your script in anyway outputs it or allows the user to specify which session variables to access.

if you put a password in a session variable, no one can access it unless there is some kind of code that accesses session variables which can be manipulated by a user.

however, many people consider it bad practice to store someones password in a session variable. its usually a better idea to authenticate the user and password, and then generate a fingerprint based on the hash of the users browser information along with some random info and set it as a cookie, so that way they have to have the session id, and a cookie with a fingerprint to access there information.

Then generating a new session id each page load so that if someone does sniff out the id, it wont be valid for very long since as soon as the user clicks on another page the sniffed id will not work.

[aaron118]

Im not quite sure what you mean by "generate a fingerprint based on the hash of the users browser information along with some random info", how would I do this?

Thanks

[voodoomagic]

$_SESSION['fingerprint'] = md5($_SERVER['HTTP_USER_AGENT'] . "polasfdhkgahdy");

This would create a hashed string that would that user would have to have the fingerprint cookie along with the session id to be able to access there information.


It is basically like setting to session ids, and one of them is regenerated on each page access. Try and break that ! :P

[aaron118]

Ok thanks, but im still puzzled as to how I actually use the fingerprint session to check to see if the user can access that page, what do I check it against?

Thanks

[tbakerisageek]

These are all good methods for authentication. It looks like the original post asked to make sure that the logged in user is authorized to view the page being requested. I included a "Permissions" system in the last site that I built. It was quite interesting how I decided to do it.

I have a table that includes the userID and permXXXX columns. Each permXXXX stands for a certain privelege. whether it is required to load a whole page or just a section of navigation or whatever.

When the user logs in each permXXXX is loded into a session variable named $_SESSION['permXXXX'] ($_SESSION['permViewUserAccounts'] or $_SESSION['permCreateCustomerAccount'] for example) and in each page itself I have a check that loads right after the session_start(); call.

The check consists of

PHP Code:

$neededPermission = 'permXXXX';

//This happens in a function as part of my 'page headers'
if($_SESSION[$neededPermission] != 1){
header('Location: permissiondenied.php');
} 


My actual script is much more robust. instead of redirecting to another page, it gives a message that the page is not available based on the user permission and bumps them back to the last page the were on, but all in all this is the basis of how it works.

In my user management pages I have the ability to set checkboxes for what permissions are enabled for the user.