Session authentication - is it enough?

Discussion in 'PHP' started by mattlindsay, Dec 26, 2006.

0
  1. #1
    I am rewriting a site that requires a normal level of security (i.e. not financial transactions, but user's personal accounts contain details that should be kept personal. - I do not want to get hacked!)

    I have rewritten the site using a simple session based authentication structure, i.e:
    User fills in form>username and password checked against DB>If successful, session variable of "username" is set.

    After that, all pages are simply checked (in a basic isset($_SESSION('username')) type way. If it is not, then the user is re-routed to a login page.

    I use a shared server (VPS) so it is hosted amongst other sites. Is this type of security going to be enough, or is it possible someone can hack a way to add a session variable themselves (I've sealed up against SQL injection and cleaned $_GET variables etc).

    Any thoughts?

    Many thanks

    Matt
     
    mattlindsay, Dec 26, 2006 IP
  2. Senpai IT

    Senpai IT Active Member

    Messages:
    453
    Likes Received:
    43
    Best Answers:
    0
    Trophy Points:
    68
    #2
    For the required security level this method is reasonably enough.
     
    Senpai IT, Dec 26, 2006 IP
  3. nico_swd

    nico_swd Prominent Member

    Messages:
    4,153
    Likes Received:
    344
    Best Answers:
    18
    Trophy Points:
    375
    #3
    nico_swd, Dec 27, 2006 IP
    drewbe121212 likes this.
  4. mattlindsay

    mattlindsay Peon

    Messages:
    5
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #4
    That's really useful, thanks. I was planning to administer an IP identifying version of the simple session vars authentication, looks like I should finish that off pronto!

    Anyone know any good security auditing firms (and I can;t do anything too pricy)

    Cheers

    Matt
     
    mattlindsay, Dec 27, 2006 IP
  5. Senpai IT

    Senpai IT Active Member

    Messages:
    453
    Likes Received:
    43
    Best Answers:
    0
    Trophy Points:
    68
    #5
    Yes I can suggest you this guy: icq 125-238-613. He is a real pro, CTO of Premium-Security GmbH the german company that does exactly what you need and my good business partner. You can explain to him what you need and agree about the quotation. If you tell him that you were directed to him by Senpai, he will not rip you off :)
     
    Senpai IT, Dec 27, 2006 IP
  6. mattlindsay

    mattlindsay Peon

    Messages:
    5
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #6
    Why, would he normally try and rip me off? ;)
     
    mattlindsay, Dec 27, 2006 IP
  7. Senpai IT

    Senpai IT Active Member

    Messages:
    453
    Likes Received:
    43
    Best Answers:
    0
    Trophy Points:
    68
    #7
    IMHO he has very reasonable pricing for remote hands and security testing. But if you tell him you are from Senpai, he will give you a discount.
     
    Senpai IT, Dec 27, 2006 IP
  8. mattlindsay

    mattlindsay Peon

    Messages:
    5
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #8
    lol I was only teasing... was just the way you phrased it Senpai. Much appreciated for the heads up. I will give him a PM when I get a chance

    Cheers for you help ya'll

    Matt
     
    mattlindsay, Dec 27, 2006 IP
  9. drewbe121212

    drewbe121212 Well-Known Member

    Messages:
    733
    Likes Received:
    20
    Best Answers:
    0
    Trophy Points:
    125
    #9
    If you have not, please take a look at the PDF file that was linked to in this post. It contains some great information on security. I have bookmarked it to distribute to people.

    thanks for the information.
     
    drewbe121212, Dec 27, 2006 IP