PHP Session Security Flaw?

Question

I'm new to php coding, and basically I'm creating a user panel where users login and from there they access their dashboard which lets them do things.

I'm using php sessions to do this, and basically at the top of the dashboard I put:

session_start();
if(!session_is_registered(myusername)){
header("location:index.php");

This makes it so users who aren't logged in are re-directed to index.php.

The problem is that there is certain commands users can do from dashboard, like this: /dashboard.php?reset=true

And doing these commands does not require active session for some reason. Anyone can just go to /dashboard.php?reset=true and reset everything, without an active session!

Does anybody know how to fix this security flaw which allows people to do this?

Thanks

Answer 1

Quick answer : you could put the same code in the /dashboard.php? file

Better verfy if the user is an admin by declaring a sessionvariable.

when logged in before redirecting :

session_start();
$_SESSION['is_admin']="yes" ;

In the "execution files" :

if(isset() && $_SESSION['is_admin'] == "yes")
{
  //do your thing
}
else
{
   echo : "you are not allowed to do that";
}

for more security tips : link it will point out some security issues for you

Answer 2

Might be you are using php 5.4.x

session_is_registered has been DEPRECATED as of PHP 5.3.0 and REMOVED as of PHP 5.4.0.

Use isset($_SESSION['myusername']) instead of session_is_registered

Edit

exit should always be put after redirecting from header, die will work too.

Answer 3

You need to put a die or exit or some other way of terminating after your header() call. header() doesn't stop execution, so even though it's sending the Location: redirect, it's going to keep going down through your code.

Answer 4

I guess that by reset you mean password. Just get that part to ask them for the old password as well as the new old. And to stop robots use summat like CAPTCHA,