6

I am running a simple service where users have to login to be able to operate special functonalities.

My MySQL database stores the username, password and user_id.

When user wants to login, they must provide their username and password which are posted to profile.php.

The profile.php does a simple check:

// Sanity Check
if(empty($_POST['smart_email'])|| empty($_POST['smart_password']))
{

    echo 'Sorry, wrong login/passwd';
    exit;
}
else
{
    //
    $smart_email = $_POST['smart_email'];
    $smart_password=$_POST['smart_password'];

    // Check if registerd and password matches
    if(DB_IsAuthorized($smart_email, $smart_password) == true)
    {
        // Obtain proper UserID from the database
        $UserID             = DB_GetId($smart_email);

        // set the session user_id variable
        $_SESSION['user_id'] = $UserID;


        //
        // Display the User profile page
        //
    }

}

From that moment, every single page that is user-related has a check for user_id set in $_SESSION to find out if this user was logged in and is authorized.

if (isset($_SESSION['user_id']) && is_numeric($_SESSION['user_id']) && $_SESSION['user_id']>0) 
{ 
    // USER IS LOGGED IN 
}

The question is: Is this $_SESSION['user_id'] check enough to secure the pages from NON LOGGED IN USERS ?

Improve this question
4
  • 1
    Actually, yes, it's enought. But without any other measure your visitors is valnurable to most attack on their account. I can propose you to use a framework and aquire ssl sertificate to make https. Don't disparage it! People who creates framework has a lot of experience! By the way - i've like Yii, it's rather simple :) Commented Nov 27, 2015 at 18:52
  • 1
    When it comes to securing pages on your site, I don't think there's ever enough that can be done. However, I think that generally speaking a simple $_SESSION check can be enough. Commented Nov 27, 2015 at 18:55
  • Maybe I was off topic at first here. Are you asking if using the $_SESSION will allow you to block content from not logged in users; or how secure the $_SESSION is and entering areas of brute force attacks, hijacking, etc. Commented Nov 27, 2015 at 19:06
  • In and of itself it's okay - but as chris85 said you'd want to check and make sure people weren't using it to brute force user accounts. Whenever I log a user in I record the time and IP. Every time I check my session vars after that, I also check that there has not been a more recent login on that account, and that the IP hasn't changed. If it has, typically I terminate both sessions and force the user to login again. This puts up an additional barrier since an attacker wouldn't be able to take action by hijacking an existing session - they would need to know the username and pass. Commented Nov 27, 2015 at 19:47

1 Answer 1

Reset to default
3

This question is too broad but simple answer is no.

Firstly, you will need https to make sure you protect users from hackers by using firewalls and other required security tools.

Secondly, you need to use htaccess to change extensions, say show user .html instead of .php

Thirdly, Sessions can be hijacked easy by hackers. So always try to store encrypted session values instead of plain text.

There are a lot more issues to take care of but its too complex and broad.

Improve this answer
Sign up to request clarification or add additional context in comments.

17 Comments

1) - this is obvious. 2) Why do i show .html instead of .php ? what's the point? 3) makes sense the no answer is kind of strange, every single page says use $_SESSION in PHP - i assume that getting these 3 points done it is safe to use $_SESSION checks then.
As to point 2 security by obscurity is one of the weakest forms of security. -php.net/manual/en/security.hiding.php
Changing php to html has proven to reduce hackers from attacking. These points are enough for $_SESSION but not for other attacks. And the answer no, was to show that the code is not well written. It needs encryption and is also prone to simple sql injection.
@Manikiran this is interesting, where is the SQL injection possible here? thanks for your input into this.
@PeeS I assumed that your DB_IsAuthorized() function does not encrypt or hash the values before comparing to values in DB.
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.