/    Sign up×
Community /Pin to ProfileBookmark

$_SESSION[ID] a secure login?

Copy linkTweet thisAlerts:
Dec 19.2011

is using $_SESSION, using the members userid a secure way to log a user in?

ie: i have a login form, to log the user in i register their userid into a session and use $_SESSION to verify the user is logged into their profile.

I guess what i am asking is that, can a malicious user manipulate the $_SESSION form and put in another users USERID?

to post a comment
PHP

2 Comments(s)

Copy linkTweet thisAlerts:
@johnWebberDec 19.2011 — you might want to take a look at session hijacking. Take a look at this article

http://phpsec.org/projects/guide/4.html

Also you might want to do a bit of research on xss (cross site scripting)
Copy linkTweet thisAlerts:
@svidgenDec 19.2011 — The _SESSION array is stored and managed server-side. When the script runs the _SESSION array is called up by a cookie value. But, the data in the session is "private" and "secure" as long as your script(s) keep is so. However, if you're using out-of-the box session management on a shared host, there [I]may[/I] be some risk of another application mucking with your session data. That risk is lessened if you store your sessions in a private store.

The other concern is ensuring that what YOU do with the session data is safe and secure. Make sure you're not blindly dumping data into the _SESSION. Make sure you're authenticating the user at the time the _SESSION['id'] is being set. Etc.
×

Success!

Help @JimmyBanks spread the word by sharing this article on Twitter...

Tweet This
Sign in
Forgot password?
Sign in with TwitchSign in with GithubCreate Account
about: ({
version: 0.1.9 BETA 6.1,
whats_new: community page,
up_next: more Davinci•003 tasks,
coming_soon: events calendar,
social: @webDeveloperHQ
});

legal: ({
terms: of use,
privacy: policy
});
changelog: (
version: 0.1.9,
notes: added community page

version: 0.1.8,
notes: added Davinci•003

version: 0.1.7,
notes: upvote answers to bounties

version: 0.1.6,
notes: article editor refresh
)...
recent_tips: (
tipper: @meenaratha,
tipped: article
amount: 1000 SATS,

tipper: @meenaratha,
tipped: article
amount: 1000 SATS,

tipper: @AriseFacilitySolutions09,
tipped: article
amount: 1000 SATS,
)...