Session hijacking

Question

OsaMasw 13 Loving Helper

10 Years Ago

Hello guys
today when i checked my script I noticed my sessions are not protected,
when user log in his username stored in session variable lets call it $_SESSION['user'], and I use this session variable in many function
ex. when uploading a file the name of user taken from session var., when check this is a user or admin use the session var.

check_admin ($SESSION['user']);
function check_admin($var) {
//SQL search for $var in TABLE WHERE is admin = 1
// IF success go to admin panel
// else go to login page 
}

so I thought if someone create a session with the same name of mine $_SESSION['user'] and entered the admin control panel he will get acces I think, because I check the name of admin only,
how can I protect session so only the one with username and password can enter the script.

php session

2 Contributors
1 Reply
204 Views
7 Hours Discussion Span
Latest Post 10 Years Ago Latest Post by LastMitch

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

LastMitch · Answer 1 · 2013-04-27T15:43:27+00:00

how can I protect session so only the one with username and password can enter the script.

I mean you can used session-write-close with the code you provided above:

http://php.net/manual/en/function.session-write-close.php

You can also try this (I perfer this method than using a session-write-close() function because it involve the protecting the host server):

http://docs.webfaction.com/software/static.html