security php - session variables

[Furr]

ok, Im just wondering how secure my system is

A user logs on the database checks to see if the username and password match with the mysql database username and a .md5 encrypted password.

if succesfull the user is taken through and two session variables set which are their username and their user id so it could be:

Username = johnsmith@hotmail.com
UserID = 2

Each page checks to see if both these exist

So it would be like this

Select *
From tblname
where Username = $_SESSION['Username'] AND UserID = $_SESSION['UserID']


etc

but i might also have added recordsers that are like this

Select *
From tblname2
where tblename2.userid = $_SESSION['userid']

etc etc

Now I know that using the customers table ID could be a risk as the first 100 of them are ID = 1 or ID = 22

But i need those Id's so i can do alot of recordset filering and data manipulation without using URL string that are visible.

Any ideas..... Would SSL sort this out???

 

[phlash]

Not sure what security risks you are referring to here furr, however:

[1] Provided PHP session keys are sufficiently unpredictable, and your users log in over SSL, then the session itself can be considered secure, so there is no problem in checking for appropriate session variables to prove that a user has previously logged in succesfully.

[2] If you are extracting data from a DB using a potentially shared key (the userID you describe above), then it's up to your code that subsequently processes and displays that data to make sure that you don't display the wrong users data. Without seeing examples of what you are doing it's difficault to tell how secure this is. The session variable itself (userID) will be reliable provided it's only set after successful login.

HTH, Phil.

 

[Furr]

I was generally wondering about session hijacking? but then a "hacker" would have to know the username and password to get through. The session variable of UserID is only set if their is a succesfull login.

What i might do, if goes through the code and double check it all then get some SSL space to make it more secure.

All very tiresome, but clients want their sites Uber security conscious.

 

[SheepCow]

I've never really used PHP's sessions as when I last thought about it the language had only just gained the concept of a session, and they were unbelieveably crap.

However, I believe they are not terribly secure. If anyone else gets the session ID they can use that persons session. If you are sending session IDs over GET and not as cookies then the session id may show up referer logs

 

[Furr]

I've never really used PHP's sessions as when I last thought about it the language had only just gained the concept of a session, and they were unbelieveably crap.

However, I believe they are not terribly secure. If anyone else gets the session ID they can use that persons session. If you are sending session IDs over GET and not as cookies then the session id may show up referer logs

Just out of intrest what do you use now to hold the data?

also lets me start again, (im a php newbie, coder newbie infact....) Say i wrote this short script

<?php
  // Initalize session
  session_start();
  
  $_SESSION['MM_Username'] = "johnsmith@hotmail.com";

?>

ok by doing the above i am giving myself the session variable johnsmith@hotmail.com. I am giving myself that session variable. Now the check script looks like this, its the the plain standard Dreamweaver one

if (!isset($_SESSION)) {
  session_start();
}
$MM_authorizedUsers = "";
$MM_donotCheckaccess = "true";

// *** Restrict Access To Page: Grant or deny access to this page
function isAuthorized($strUsers, $strGroups, $UserName, $UserGroup) { 
  // For security, start by assuming the visitor is NOT authorized. 
  $isValid = False; 

  // When a visitor has logged into this site, the Session variable MM_Username set equal to their username. 
  // Therefore, we know that a user is NOT logged in if that Session variable is blank. 
  if (!empty($UserName)) { 
    // Besides being logged in, you may restrict access to only certain users based on an ID established when they login. 
    // Parse the strings into arrays. 
    $arrUsers = Explode(",", $strUsers); 
    $arrGroups = Explode(",", $strGroups); 
    if (in_array($UserName, $arrUsers)) { 
      $isValid = true; 
    } 
    // Or, you may restrict access to only certain users based on their username. 
    if (in_array($UserGroup, $arrGroups)) { 
      $isValid = true; 
    } 
    if (($strUsers == "") && true) { 
      $isValid = true; 
    } 
  } 
  return $isValid; 
}

$MM_restrictGoTo = "../fail.php";
if (!((isset($_SESSION['MM_Username'])) && (isAuthorized("",$MM_authorizedUsers, $_SESSION['MM_Username'], $_SESSION['MM_UserID'])))) {   
  $MM_qsChar = "?";
  $MM_referrer = $_SERVER['PHP_SELF'];
  if (strpos($MM_restrictGoTo, "?")) $MM_qsChar = "&";
  if (isset($QUERY_STRING) && strlen($QUERY_STRING) > 0) 
  $MM_referrer .= "?" . $QUERY_STRING;
  $MM_restrictGoTo = $MM_restrictGoTo. $MM_qsChar . "accesscheck=" . urlencode($MM_referrer);
  header("Location: ". $MM_restrictGoTo); 
  exit;
}

all this does is check to see whats in the session variable MM_Username, now admitidly just putting anything in MM_Username means you can't see anything content wise as the wrong details are in. And unless the person knows both the MM_Username and its corresponding MM_UserID they can't see any data. However I still think its a risk that a session can be set and they an essentially gain access to some degree although without any content to the site.

How could i make this secure?

Im in the stages of learning php, but the book i have only really goes simply into it. Is this something to worry about??? or not

my logon script looks like this btw

// *** Validate request to login to this site.
if (!isset($_SESSION)) {
  session_start();
}

$loginFormAction = $_SERVER['PHP_SELF'];
if (isset($_GET['accesscheck'])) {
  $_SESSION['PrevUrl'] = $_GET['accesscheck'];
}

if (isset($_POST['username'])) {
  $loginUsername=$_POST['username'];
  $password=$_POST['password'];
  $MM_fldUserAuthorization = "";
  $MM_redirectLoginSuccess = "secure/secureindex.php";
  $MM_redirectLoginFailed = "fail.php";
  $MM_redirecttoReferrer = false;
  mysql_select_db($database_gemtraveldatabase, $gemtraveldatabase);
  
	$loginUsername = get_magic_quotes_gpc() ? $loginUsername : addslashes($loginUsername); $password = get_magic_quotes_gpc() ? $password : addslashes($password);
	$LoginRS__query="SELECT EMAIL, PASSWORD, ID FROM user_details WHERE EMAIL='$loginUsername' AND PASSWORD='".md5($password)."'";


    $LoginRS = mysql_query($LoginRS__query, $gemtraveldatabase) or die(mysql_error());
	$loginFoundUser = mysql_num_rows($LoginRS);
	if ($loginFoundUser) {

    
	$login_data = mysql_fetch_assoc($LoginRS);
	$loginUserID = $login_data['ID'];
	     
    //declare two session variables and assign them
    $_SESSION['MM_Username'] = $loginUsername;
    $_SESSION['MM_UserID'] = $loginUserID;	      

    if (isset($_SESSION['PrevUrl']) && false) {
      $MM_redirectLoginSuccess = $_SESSION['PrevUrl'];	
    }
    header("Location: " . $MM_redirectLoginSuccess );
  }
  else {
    header("Location: ". $MM_redirectLoginFailed );
  }
}