 |  |  |  |  |  |  |  |
Just how safe is a session based on a mysql field id for user indetifcation?
Please support our PHP advertiser: PostgreSQL or MySQL? Compare and contrast the two most popular open source databases
 |
Hello all,
Just wanted to see if I am leaving open some security hole in a script I have! When the user logs in it creates a session based on the id field of the users table! For example .... my id is 10 so a session is created with based on that.
What I wanted to know is if I want a secure way to identify a genuine user based on their session then should I make this session more complicated by adding further details? Or even create multiple sessions?
I am currently checking the user against my sql table id against their session but thought that if someone created a session from another website with for example the number 10 then I wouldnt want them being able to access my members account whose ID number is 10!
Hope this makes sense and someone can clarify the best way around it
Thanks
Just wanted to see if I am leaving open some security hole in a script I have! When the user logs in it creates a session based on the id field of the users table! For example .... my id is 10 so a session is created with based on that.
What I wanted to know is if I want a secure way to identify a genuine user based on their session then should I make this session more complicated by adding further details? Or even create multiple sessions?
I am currently checking the user against my sql table id against their session but thought that if someone created a session from another website with for example the number 10 then I wouldnt want them being able to access my members account whose ID number is 10!
Hope this makes sense and someone can clarify the best way around it
Thanks
Re: Just how safe is a session based on a mysql field id for user indetifcation?
0
#2 Jun 18th, 2009
Session is fairly safe but hackable.
Here's a decent rundown that may help you: http://www.sitepoint.com/blogs/2004/...sion-security/
Here's a decent rundown that may help you: http://www.sitepoint.com/blogs/2004/...sion-security/
•
•
Join Date: Jun 2007
Posts: 1,227
Reputation: 
Solved Threads: 167
Re: Just how safe is a session based on a mysql field id for user indetifcation?
0
#3 Jun 18th, 2009
Its pretty secure. Adding more info and creating extra session is unnecessary overhead.
The best way to prevent this is to run session_regenerate_id(true).
[kireol explains everything nicely, I posted at the same time. Didn't see that post]
The best way to prevent this is to run session_regenerate_id(true).
[kireol explains everything nicely, I posted at the same time. Didn't see that post]
Last edited by kkeith29; Jun 18th, 2009 at 10:07 pm.
|
Similar Threads
- How to configure GD (PHP)
- code will not subtract negative number in mysql field? :( pls help! (PHP)
- php.ini confusion (PHP)
- prolem with sorting data in query based on date field (MySQL)
- Delphi file creator (Pascal and Delphi)
- Help: Need to access database when session times out (ASP.NET)
- question about connecting odbc to sql through php script (PHP)
Other Threads in the PHP Forum
- Previous Thread: how to Compress PHP into .zip or .tar
- Next Thread: Limit Drop Down Menu Options Based on Option Selected in Other Dropdown
| Thread Tools | Search this Thread |
You need to join our community in order to build your list of favorite forums. You can visit the forum index for a listing of all forums.
Related Forum Features
Latest PHP Posts
- Today's Posts
- Unanswered Threads
apache api array beginner binary body broken buttons cakephp checkbox class cms code cron curl database date date/time display dynamic ebooks echo email error file files folder form forms function functions global google href htaccess html image include insert ip javascript joomla limit link list login mail mediawiki menu mlm msqli_multi_query multiple mycodeisbad mysql number oop parameter paypal pdf php phpincludeissue problem query radio random recourse recursion regex remote script search seo server sessions sms source sp space speed sql static subdomain syntax system table tag tutorial update upload url validator variable vbulletin video web webdesign white wordpress xml youtube
