2 Replies Latest reply on Sep 13, 2007 1:55 PM by AngryCloud

    $_SESSION variables

    AngryCloud Level 1
      It is impossible for clients to alter session variables on PHP-based websites, right? The security of my site, especially in record deletion scripts, relies heavily on $_SESSION['user_id'], and I just to be sure this is an impregnable security method before I publish my site.
        • 1. Re: $_SESSION variables
          Level 7
          AngryCloud wrote:
          > It is impossible for clients to alter session variables on PHP-based websites,
          > right? The security of my site, especially in record deletion scripts, relies
          > heavily on $_SESSION['user_id'], and I just to be sure this is an impregnable
          > security method before I publish my site.
          >
          Nothing is "impregnable" (well, maybe Rosie O'Donnell, but I digress) -
          however, publishing details of your security surely is a way to make it
          much less secure - Firefox's addin web developer tools can create
          session cookies which, if they know the name of the session id (like
          user_id) and the value that needs to go there, then they could find a
          way to make it happen. I always build more than a single check point in
          to systems that have to be seriously secure and I make the check points
          dependent upon each other (if a is x, then b can only be y, so if a & b
          don't match x & y, they are kicked out)

          --
          Paul Davis
          http://www.kaosweaver.com/
          Visit us for dozens of useful Dreamweaver Extensions.

          http://www.communitymx.com/
          Partner at Community MX - Extend your knowledge
          • 2. Re: $_SESSION variables
            AngryCloud Level 1
            Well, every user on the site will know their own ID... as well as everyone else's IDs.


            Tell me if this would work:

            Each user is assigned a random 32 character key when they register and only the server knows this key. It would be stored in the user database. Then each time the user logs in that key would be assigned to a session variable.

            So every time a user wants to update or delete any record it would check to see if that session variable is equal to the key in the user database. So even if a user somehow altered their 'user id' session variable, they would not know what to put for the 32-char key... unless they hacked my database as well.

            Speaking of databases, it is a scary thought to think about someone wiping out my database. Is it possible to keep a real-time backup of my whole database in some separate file, or would that slow down my site too much for users?


            Yes, I am very paranoid about my site's security... but its probably not a bad thing.