Antono Antono - 22 days ago 16
MySQL Question

How to Secure Login Session

I just thought of something about securing sessions, and it's bugging me. So could someone help me figure this out?

Alright, let me explain how I think of it. (don't worry, I'll get to the point in a minute)

<?php

if(!isset($_SESSION['login'])) {
$_SESSION['login'] = false;
}

?>


So basicly, no matter what
$_SESSION['login']
will always exist. Pretty neat? Maybe.

Okay, say you want a user to login. (getting closer to the point)

<?php

if($_SESSION['login'] === false)
{

if(isset($_POST['login-form']))
{
// execute login code . . .

// if the user had logged in successfully
if($success === true)
{
echo "Successfully logged in.";
$_SESSION['login'] = true;
$_SESSION['username'] = $_POST['username'];
// remember, I just wrote up an example,
// and everything would be filtered and sanitized
// if this were production code
}
}
}

?>


Okay, another thing how this would be setup. (almost there)

<?php

if($_SESSION['login'] === true)
{
// get database user information where username is $_SESSION['username'].
// also, the database table: users, would have unique usernames,
// they can't be the same.
}

?>


Okay, so you see the idea I have setup. But what happens if someone edits the the
$_SESSION['login']
to
true
? And then they change the
$_SESSION['username']
to a username that they want? That means someone can hack any account they wanted. And nobody wants that if they are building an application that stores user passwords and important data.

So the question is, how can I prevent that? Because you can change cookies/sessions by going into developer-tools(chrome) and go into the console and change the cookies with javascript.

Should I make another form that should double check? But that's the point, so it'd be nice if one of you could help me with figuring this question out.

Answer

The only piece of the session that the user has in their browser is the Session ID in the cookie. Period.

Users cannot view or edit session data locally, it's all stored on the server.

Modern PHP's session generation is fairly solid as well, making it very difficult for an outside entity to guess a valid session ID, and if you're using SSL [which, in this day and age, you should be] it's nigh-impossible for someone to steal Session cookies in-transit.

Comments