This content has been marked as final. Show 2 replies
> It is impossible for clients to alter session variables on PHP-based websites,
> right? The security of my site, especially in record deletion scripts, relies
> heavily on $_SESSION['user_id'], and I just to be sure this is an impregnable
> security method before I publish my site.
Nothing is "impregnable" (well, maybe Rosie O'Donnell, but I digress) -
however, publishing details of your security surely is a way to make it
much less secure - Firefox's addin web developer tools can create
session cookies which, if they know the name of the session id (like
user_id) and the value that needs to go there, then they could find a
way to make it happen. I always build more than a single check point in
to systems that have to be seriously secure and I make the check points
dependent upon each other (if a is x, then b can only be y, so if a & b
don't match x & y, they are kicked out)
Visit us for dozens of useful Dreamweaver Extensions.
Partner at Community MX - Extend your knowledge
Well, every user on the site will know their own ID... as well as everyone else's IDs.
Tell me if this would work:
Each user is assigned a random 32 character key when they register and only the server knows this key. It would be stored in the user database. Then each time the user logs in that key would be assigned to a session variable.
So every time a user wants to update or delete any record it would check to see if that session variable is equal to the key in the user database. So even if a user somehow altered their 'user id' session variable, they would not know what to put for the 32-char key... unless they hacked my database as well.
Speaking of databases, it is a scary thought to think about someone wiping out my database. Is it possible to keep a real-time backup of my whole database in some separate file, or would that slow down my site too much for users?
Yes, I am very paranoid about my site's security... but its probably not a bad thing.