SitePoint Sponsor

User Tag List

Results 1 to 5 of 5

Hybrid View

  1. #1
    SitePoint Member
    Join Date
    Apr 2011
    Location
    Ireland
    Posts
    8
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Question Using session variables to determine site admin access - secure or not?

    Hi All,

    Firstly I'd like to point out that while I'm creating a live site for a local club I am a college student and this semester is my first introduction to php so please don't get extremely technical in any replies

    My site is set up to authenticate users by accepting the username and password, running an md5 hash on the password and comparing it to the stored username and md5 hashed password in my MySQL database. If a user is authenticated successfully I take all the information in the "Users" table relating to the user and store it within a session variable for ease of access later. I'm sure this is all pretty standard stuff so far.

    Within the users table I have a field called "Admin" which is default of "NO" when a new user is created. What I am doing with my administration page is running my normal authentication checks and then checking to see if the session variable "Admin" is set to "YES". If so the admin is logged in, if not the user is redirected to the homepage. This should work since a user who is not logged in will not get as far as the admin check, in my beginners opinion anyway.

    I'm wondering if anybody has used this method of authentication before and if it's actually secure or can someone with a bit of experience gain access to and change the session variables or otherwise work around this method?

    Many thanks in advance,

    L

  2. #2
    SitePoint Member
    Join Date
    Apr 2011
    Location
    Ireland
    Posts
    8
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    In case my explanation wasn't up to scratch here's the admin authentication script which is include_once on the admin restricted pages. I can also post the basic authentication script if this would possible affect the security of the site. The user information is stored by using mysql_fetch_assoc and storing the result in $_SESSION['user]'

    Code:
    <?php
    $admin = FALSE;
    if(isset($_SESSION['user']['Administrator']))
    {
     if($_SESSION['user']['Administrator'] =='YES')
     {
       $admin = TRUE;
     }
    }
    
    if(!$admin)
    {
      header('Location: index.php');
      exit;
    }
    ?>

  3. #3
    Theoretical Physics Student bronze trophy Jake Arkinstall's Avatar
    Join Date
    May 2006
    Location
    Lancaster University, UK
    Posts
    7,062
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Sessions are pretty secure. Unlike cookies they can't be modified from the browser. That code should be fine.

    However what I'd recommend is for you just store the logged in ID in the session and reclarify all of the information on every load. That way if a user is playing foul, and is downgraded/blocked by another administrator, they would no longer be a member on the next page load.
    Jake Arkinstall
    "Sometimes you don't need to reinvent the wheel;
    Sometimes its enough to make that wheel more rounded"-Molona

  4. #4
    SitePoint Member
    Join Date
    Apr 2011
    Location
    Ireland
    Posts
    8
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks Jake,

    I think what you're suggesting is to maybe re-check the important fields like is a member active or inactive on every load? As it is the $_SESSION['user'] is very handy for things like displaying the user's name or throwing up membership expiration warnings.

    Would trimming the query to include only these types of information and recheck if user is banned on every load achieve the same result as your suggestion for trimming to the logged in ID or were you suggesting a smarter way to achieve the same result?

  5. #5
    SitePoint Enthusiast
    Join Date
    Jun 2009
    Location
    Kolkata, India
    Posts
    44
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by EternalNoob View Post
    Thanks Jake,

    I think what you're suggesting is to maybe re-check the important fields like is a member active or inactive on every load? As it is the $_SESSION['user'] is very handy for things like displaying the user's name or throwing up membership expiration warnings.

    Would trimming the query to include only these types of information and recheck if user is banned on every load achieve the same result as your suggestion for trimming to the logged in ID or were you suggesting a smarter way to achieve the same result?
    What Jake says is, not to create an array, containing user's all the information and storing it into the session ($_SESSION['user']). Instead just store the userid (the unique identifier of users i.e. the Primary key of user table) in session
    $_SESSION['user'] = $current_users_userid;

    And on each and every page make a Retrieve call on DB to fetch all other information (like name, email, whether Admin YES or NO) from the row where user_table.userid = $_SESSION['user'];
    This makes you application more secure. The only drawback is it will increase your DB server activity, page load time etc.
    $0.50/Mo for 500MB Web hosting Kolkata
    Web design in Kolkata
    Website development company in Kolkata

    Hostgator 25% Discount Coupon wow25percent


Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •