0

Hi,

My site uses sessions and for example on login a random token as a hidden field in the form is generated and added to the session.

As i am on shared hosting i set my own session path outside root directory and if for example session is tampered in anyway the user is logged out. I also have it so each time user visits there main control panel area and on login that it regenrates a new session id to try and help avoid session theft. And i also do some checks against db on some parts such as change password also requires old password to change new password, incase user account is hijacked, change email to ensure the information stored in the session equals the information stored for that user in the database.

I also have it that if user fails 4 login attempts that it locks there account and sends them an email to notify them, incase it was trying to be accessed by an unauthorised person with a unique activation link before login and a new random generated password which is encrypted using sha1().

I fell pretty confident i have done enough to make it as secure as possible.

My question now relates to my admin area.

I simply have on my user table a column called `admin` and default is `0` for NON admin and `1` means admin.

Woudl you say it is safe on each login that i store the $_SESSION in the session so it can tell wheter a user is admin or not, and if so show admin menu?

example once user is verified on login i store information about the user in the session for use on other areas of the site. If i add a new session for admin on login it will see if it == 0 or 1.

I think this will be fine due to the fact i have my own session path which is out of root so can only be viewed by me, but would like some advice to ensure if this is safe or a more safer way available.

Thank you,
Mat

Edited by genieuk: n/a

2
Contributors
4
Replies
5
Views
7 Years
Discussion Span
Last Post by genieuk
0

Using $_SESSION would be fine. Its pretty difficult to hijack a session anyway. You have taken the right security measures to prevent that from happening so there isn't much to worry about.

Also, never disable a user because of what someone else has done. This can lead to a DOS attack (Denial of Service).

0

Hi,

Thanks for the information, much valued and appreciated.

Your very nice Keith for helping me more than once and i appreciate this allot.

I just Googled DOS attack and see what you mean.

I thought by locking the users account and deactivating there account, then not only is the user notified they are sent a new generated password and an activation link to re-activate there account.

Althou some what annoying i suppose there are advantages and disadvantes and a programmer has to weigh the pros and cons.

May i ask Keith what do you think is the best way.

I know i could just block a users account for let say 15 minutes if failed 4 logins and it is less work for the the genuine user but dont see any difference.

What way would you recommend?

I can't beleive how much i learnt about security when programming, there is always some sort of an attack, only if the world was a lovely place huh lol.

Thank you,
Mat

Edited by genieuk: n/a

0

I don't add stuff like that. I keep it simple.

The random token helps out with automated requests so I don't worry about a brute force attack. If someone wants to try and login a hundred times, I will let them. Mostly likely they won't get in.

0

I don't add stuff like that. I keep it simple.

The random token helps out with automated requests so I don't worry about a brute force attack. If someone wants to try and login a hundred times, I will let them. Mostly likely they won't get in.

Thanks Keith for the advice,

Regards,
Mathew

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.