Session security

matrix_ · December 20, 2011, 7:00am

Hey,

I have the following code:

if($_SESSION['memberid'] == $memberid || $_SESSION['userlevel'] == 3)

$_SESSION[‘memberid’] doesnt exist but $memberid does exist…

This part of the code $_SESSION[‘memberid’] == $memberid doesnt seen to stop people not logged in from accessing the data, but this $_SESSION[‘userlevel’] == 3 on its own does work…

Trying to make it so only the member who owns the record and the admins with userlevel 3 can access the code between the statement… Any reason it isnt working?

Thanks

Jaynesh · December 20, 2011, 7:14am

What does $_SESSION[‘memberid’] do if it doesnt exist?

You could try this:

if(($_SESSION['memberid'] == $memberid) || ($_SESSION['userlevel'] == 3))

Cups · December 20, 2011, 9:10am

Do you have error reporting turned on? If $_SESSION[‘memberid’] is not set, then it should be throwing a notice.

This is what I think is going on:

An unset variable equates to null and if $memberid is also not set, then you have two nulls. Two nulls are the same and equates to true, and so passes your condition.

If I’m right you should first check for the existence of $_SESSION[‘memberid’].


if( 
    ( isset($_SESSION['memberid']) && $_SESSION['memberid'] == $memberid )
    || 
    ( isset($_SESSION['userlevel]) && $_SESSION['userlevel'] == 3 )
  ){
// go ahead

}

matrix_ · December 20, 2011, 10:50am

Ahh yes, I see it was a non existant record when viewed so $memberid wasnt being set… hence allowing to view.

I guess it doesnt matter as the record cant be deleted as its doesnt exist in the database but i guess it should be stoped… The code above appears to have a syntax error?

Thanks…

Cups · December 20, 2011, 12:00pm

I failed to close a quote on an session array key.


$_SESSION['memberid'] = 3;
$memberid=23;

if( 
    ( isset($_SESSION['memberid']) && $_SESSION['memberid'] == $memberid )
    || 
    ( isset($_SESSION['userlevel']) && $_SESSION['userlevel'] == 3 )
  ){
echo ' go ahead';

} else {

echo 'abort';

}

You could also go on to check whether $memberid is set.

ie If none of them are set then abort higher up.


if( !isset( <var here> ) || !isset(  ) || !isset(  ) ) {
// abort
}

matrix_ · December 20, 2011, 8:59pm

Ahh sweet… thanks for the ideas…