PHP secure Session Check?
Question
I have a session that I gave to users that has matching password = stored password, like a simple login system :
// Checks Password and Username
if ($pSys->checkPassword($AccountData['password'], $StoredData['password'])) {
$_SESSION['login'] = true;
}
The question is: is this secure enough?
// put this on every header page that needs to be loggedin.
function loginCheck(){
if ( empty( $_SESSION['login'] )) {
header( 'location:index.php' );
die();
}
}
Is there a difference between die() and exit() ? Second, some say that I should add session_regenerate_id() ? (Is that an overkill?) Anyway the real question is said above.
addon*
I have read PHP Session Security but it seems it doesn't match my problem here (that link is just to general).
Here is the checkPassword() method
function checkPassword($password, $storedpassword) {
if($password == $storedpassword){
return true;
}
}
3 answers
solution1
3 ACCPTED 2010-07-26 18:08:30
Answering the first part: empty and die are not comparable:
-
emptyis to check if a variable does not exists or has a value equal to false (see also this type comparison table ). -
dieis an alias ofexitand is used to immediately abort the execution of the current script with an optional message.
Now to your authentication example: Yes, you should use session_regenerate_id to generate a new session ID and revoke the old session ID by setting the optional parameter for session_regenerate_id to true:
if (!sizeof($ErrorAccount)) { // Checks Password and Username
session_regenerate_id(true);
$_SESSION['login'] = true;
}
The purpose of session_regenerate_id is to avoid session fixation attacks. This will not be necessary if the server only allows session ids to be sent via cookies, but since PHP by default allows them in URL, you're strongly recommended to regenerate the id.
solution2
1 2010-07-26 22:47:20
Since you are looking for answers about security, also don't keep the stored password in plain text. At the very least, salt and hash your passwords, then store the hash. Rehash and compare hashes, not plain text.
solution3
1 2010-08-10 13:46:50
You could added a token (hash) to the form and then validate the token to make sure that the token which was submitted via the form is still valid. This helps to prevent CSRF attacks.
You could also store the IP address and browser together with the token in a database for additional validation, however you need to be aware that some ISP's change the clients IP address fairly often and could cause the validation to fail incorrectly.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.