Poor handling of PHP session variables?

Question

Poor handling of PHP session variables?

Currently, I use the following code in my cms to check if the visitor is registered as an administrator so that he can edit the current page:

if($_SESSION['admin']=="1") { echo "<a href="foobar/?update">edit</a>"; }

But I worry that the code is unsafe. Is it not possible to change $ _session variables by the user?

What would be safer practice?

+4

security php session

Aquinastub May 04, '09 at 14:17

source share

5 answers

The code is fine, you just show the link. Just make sure your UPDATE script is also protected.

+3

Mario May 04, '09 at 15:27

source share

$_SESSION variables cannot be set by the user. Therefore, the code is great, although usually you ask your backend user (usually only table users, sometimes LDAP) about current user privileges.

+1

phihag May 04, '09 at 14:20

source share

I found this session security presentation

http://talks.php.net/show/phpworks2004-php-session-security/

It explains how to avoid:

Session fixation.
Session Capture.

Also the slide with additional information has some really product links

http://talks.php.net/show/phpworks2004-php-session-security/18

+1

Alfred May 05 '09 at 11:21

source share

Session variables should be safe enough after your encoding is safe.

Also use instead. Stops errors with == You should probably also use true, as this is much faster than string comparisons.

 if( "1" === $_SESSION['admin'] )

0

Ryaner May 04, '09 at 14:19

source share

alexn · Accepted Answer · 2009-05-04T14:19:20+0000

No, this is a good way to do this. A user cannot change the global $ _SESSION unless he has access to your server. Remember to stay away from cookies on the client side .

To make it even more secure, a good way is to keep the IP address and check that it remains unchanged between each request.

Poor handling of PHP session variables?

More articles: