If I wanted to store all my user info in a session rather than fetching it through MySQL on every page load, is it still safe? I have this in htaccess: php_value session.cookie_domain .MYDOMAIN.COM Soo... is it stored in a session on the server or a cookie? Basically, if I were to say $_SESSION['access_level'] = 5, is there some way they could manipulate the value and give themselves a higher access level?
In the cookie is the just the session id. This corresponds to the session data stored as a file on your server. They won't be able to change their session data - the worst case is they may be able to hijack someone else's session. For instance, if you log in and have a full access level, then if another user is able to get your session id they can take over your session and will have your access level. But that's probably very unlikely.
If you store the information in a session variable it is possible for someone to guess the name of the variable and set it in the URL. You can prevent that from happening by checking all user submitted information and disallowing any effort to reset the value of specific session variables. Create a PHP file and put the following in it: <?php secureInputArray( $_GET); secureInputArray( $_POST); secureInputArray( $_COOKIE); secureInputArray( $_FILES); secureInputArray( $_ENV); secureInputArray( $_SERVER); function secureInputArray( &$array) { static $banned = array( '_files', '_env', '_get', '_post', '_cookie', '_server', '_session', 'globals' ); foreach ($array as $key => $value) { if (in_array( strtolower( $key ), $banned ) ) { die( 'We are encountering unexpected problems with our server. Please try again later.' ); } } } ?> PHP: Include that file in every page in your website or in any init.php page that they all might call. I use require_once("secure.php"); Any effort to change a session variable value will fail.
Thanks clancey, I'll look into that sample code I do a lot of work on some pages with javascript as well. 1) Can it access the same session information or is it simply not possible? 2) Say I were to put "accountLevel = 5;" inside a <script> in my header file. This is EASILY changed through "javascript:accountLevel = 10" in the address bar. What can I do to combat this or do some other method?
What does this javascript do? Is AJAX involved? If so, check on the server side if the submitted account level equals the one in the session. If not, stop the script.
Do you have any more info on this? I've always thought it'd be impossible to modify anything but GET data by playing with the URL so naturally this is quite a revelation and a little concerning.
That code snippet comes from Mambo/Joomla. When I started using it, I was able to verify that more the GET data could be changed within a URL string. I believe PHPH has been made secure enough that this should not be an issue . . . But, proper security is built around the notion that you should never trust anybody. This function provides an important layer of protection against a misconfigured PHP installation and/or program.
I do not do a lot of work with javascript. But, any important data that you put in hidden and/or javascript fields on the page can be manipulated. Never put data which must remain secure where people can potentially change it. Furthermore, if you are going to check to make sure it was not changed, why not simply hide it in the first place? PHP sessions do this very well. Cookies could help. Unique tokens in forms can also help. Having said that, you can sometimes hide information in plain sight. You could have a string of numbers, which contains your hidden number. Or an alphabetic string where the seventh letter represents the hidden digit. But, a bored script kiddie will probably figure it out.