Results 1 to 2 of 2

Thread: Session Security Issue

  1. Dec 21st, 2005, 02:50 PM #1
    BramVandenbon
    BramVandenbon is offline

    Thread Starter
    Hyperactive Member BramVandenbon's Avatar
    Join Date
    Jan 2002
    Location
    Belgium
    Posts
    502

    Question Session Security Issue

    Hi,

    I am writing a php based website for a database containing businessinformation. Users can sign in with a username and password. Each user has an amount of priveliges: "Read, Write, Delete" Those 3 are booleans.

    When the user visits a webpage there should appear information according to his privileges. And there should appear buttons (f.e.Delete button ) according to the user his privileges.

    So on every webpage there need to be a fast check of these privileges

    One thing is sure: I am going to program this using Sessions.

    I am a bit in a dilemma though. Because I see 2 options here. I would like you to help me make a decision.

    First possibility:
    After the first successfull login: store the username and (a md5 hash of) the password in session variables. After that, check the privileges (in the database) again on every visit of a page. Very safe imho.

    Second possibility:
    After the first successfull login: store all privileges and the username in Session variables. When the user visits the next page it will not be necessary to search in the database again.

    The reason why I am not sure is because I am not sure how safe Sessions are. From experience I would choose the first possibility. Although I believe Sessions are really 99% server side so there's not much that can go wrong, right?

    If I am not mistaken, session ID's are stored in the client header though. Is this dangerous?

    Thanks in advance.
    ____________________________________________

    Please rate my messages. Thank you!
    ____________________________________________
    Bram Vandenbon
    http://www.bramvandenbon.com
    Reply With Quote Reply With Quote
  2. Dec 21st, 2005, 03:28 PM #2
    neicedover1982
    neicedover1982 is offline
    Fanatic Member neicedover1982's Avatar
    Join Date
    Jun 2005
    Posts
    566

    Re: Session Security Issue

    I did something on this line for my old job. I had to limit the amount of information a person saw and could use. I didnt need serious protection so I just got creative.

    The passwords each had 3 values hidden in it, such as "12A34B56C". It just looked random but those 3 letters meant something. When they first logged in I stripped thos characters and then those meant thier levels. AAA ment they could do anything, ABA ment they could not delete information but could do everything else.

    Then in the code, I had those 3 characters passed through the pages, something like mainpage.php?action=new&val1=profile&psl=ABC, etc

    PSL = Persons security level. then every page checked these. I am sure its not what you need but incase anyone else wonders, this is how I did it.
    Kevin | New England Iced Over | http://www.kevincawleyjr.com
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules


Click Here to Expand Forum to Full Width