CODEWITHSUNDEEP
phpsessionsecurity
Adam Ramadhan
Adam Ramadhan

Reputation: 22810

PHP secure Session Check?

I have a session that I gave to users that has matching password = stored password, like a simple login system :

// Checks Password and Username
if ($pSys->checkPassword($AccountData['password'], $StoredData['password'])) {
    $_SESSION['login'] = true;
}

The question is: is this secure enough?

// put this on every header page that needs to be loggedin.
function loginCheck(){
    if ( empty( $_SESSION['login'] )) {
        header( 'location:index.php' );
        die();
    }
}

Is there a difference between die() and exit()? Second, some say that I should add session_regenerate_id()? (Is that an overkill?) Anyway the real question is said above.

addon*

I have read PHP Session Security but it seems it doesn't match my problem here (that link is just to general).

Here is the checkPassword() method

function checkPassword($password, $storedpassword) {
    if($password == $storedpassword){
        return true;            
    }
}

Upvotes: 1

Views: 1578

Answers (3)

KSS
KSS

Reputation: 345

You could added a token (hash) to the form and then validate the token to make sure that the token which was submitted via the form is still valid. This helps to prevent CSRF attacks.

You could also store the IP address and browser together with the token in a database for additional validation, however you need to be aware that some ISP's change the clients IP address fairly often and could cause the validation to fail incorrectly.

More Info

Upvotes: 1

Zak
Zak

Reputation: 25205

Since you are looking for answers about security, also don't keep the stored password in plain text. At the very least, salt and hash your passwords, then store the hash. Rehash and compare hashes, not plain text.

Upvotes: 1

Gumbo
Gumbo

Reputation: 655189

Answering the first part: empty and die are not comparable:

  • empty is to check if a variable does not exists or has a value equal to false (see also this type comparison table).
  • die is an alias of exit and is used to immediately abort the execution of the current script with an optional message.

Now to your authentication example: Yes, you should use session_regenerate_id to generate a new session ID and revoke the old session ID by setting the optional parameter for session_regenerate_id to true:

if (!sizeof($ErrorAccount)) { // Checks Password and Username
    session_regenerate_id(true);
    $_SESSION['login'] = true;
}

The purpose of session_regenerate_id is to avoid session fixation attacks. This will not be necessary if the server only allows session ids to be sent via cookies, but since PHP by default allows them in URL, you're strongly recommended to regenerate the id.

Upvotes: 3

Related Questions