Is It Secure To Use The Session ID as a Profile Selector Condition With SQL?

[morestar]

So I snagged this pretty good login script that uses sessions and now that I can get a user to log in but the tricky part is displaying only their data.

I was able to catch the randomly created id through this SQL statement "MD5(UNIX_TIMESTAMP()".

Is it safe to use that generated variable as the condition to check and get the user's information?

[wige]

Assuming you are referring to getting the PHP session id, the workaround you are suggesting could be incorrect at times. To get the actual PHP session id, the code is $id = session_id();

Once a user is logged in, you can use print_r($_SESSION); to view the variables the login script stores in the session, and access them with your own scripts.

[morestar]

OK thanks (again) wige...

So using the session is as the condition for selecting the user's data is ok security wise?

[wige]

Um, well...

It really depends on how sensitive the data in question is. If you are talking about simply editing a user profile on a social networking site, that should be fine. If you are talking about financial, or medical information, additional authentication should be done, such as reconfirming the user's password from within an encrypted channel.

In theory, an unauthenticated user could hijack a session from an authenticated user on a standard HTTP connection. The protection against this is to "reinitialize" the session and reauthenticate the user. This requires the use of secure cookies, and that all communication within the secure area of the site be done over HTTPS. Additional security can be achieved against hijacking by continuously checking the user's IP address.

The basic workflow would be as follows:

The user comes into the web site as an unauthenticated user, and is assigned a session id.
The user goes to the secure site to authenticate, and the unauthenticated session id is reset.
The user authenticates, and the session now stores the user's id and IP address, but no other authentication information.
The user returns to to the unsecure section of the site and continues browsing, keeping the same session id.
The user decides to access secure information, and returns to the secure area of the site. The user's session is reset, the current IP address is checked against the IP stored in the session, and the user is prompted to re-enter their password.
The user reauthenticates, and maintains the same session id, and proceeds to access the secure information.

This method can be less friendly from a user standpoint, since the user has to reenter their password each time they go to the secure area of the site, and as a result this approach may only be desired if you are storing sensitive information. Most sites do not take this type of precaution, as it can be a bit of overkill for most situations.

[morestar]

Very well then...in my case it is only about being able to view their own data and edit it as they please...My only worry is that somehow they end up being able to edit other members information but as you mentioned, if I check their password and session ID I should be safe...there really isn't too much personal data - just profile information and at most the users email address...

Thanks so much wige - you're always great help!

[kgun]

And you can write a wrapper around PHP's session functions

Code:

<?php
/**
 * A wrapper around PHP's session functions
 * <code>
 * $session = new Session();
 * $session->set('message','Hello World!');
 * echo ( $session->get('message'); // Displays 'Hello World!'
 * </code>
 * @access public
 */
class Session
{
  /**
   * Session constructor<br />
   * Starts the session with session_start()
   * <b>Note:</b> that if the session has already started,
   * session_start() does nothing
   * @access public
   */
  public function __construct()
  {
    session_start();
  }

  /**
   * Sets a session variable
   * @param string name of variable
   * @param mixed value of variable
   * @return void
   * @access public
   */
  public function set($name, $value)
  {
    $_SESSION[$name] = $value;
  }

  /**
   * Fetches a session variable
   * @param string name of variable
   * @return mixed value of session varaible
   * @access public
   */
  public function get($name)
  {
    if (isset($_SESSION[$name]))
    {
      return $_SESSION[$name];
    }
    else
    {
      return false;
    }
  }
  
  /**
   * unsets a session variable
   * @param string name of variable
   * @return void
   * @access public
   */
  public function del($name)
  {
    unset($_SESSION[$name]);
  }

  /**
   * Destroys the whole session
   * @return void
   * @access public
   */
  public function destroy()
  { 
    $_SESSION = array();
    session_destroy();
    session_regenerate_id();
  }
} 
?>

Source: The PHP Anthology: 101 Essential Tips, Tricks & Hacks, 2nd Edition - SitePoint Books (see chapter 10 The whole chapter page 269 - 362 almost 100 pages is about the important subject of access control. Highly recommended reading.)

Your program is no more secure than your coding.

[morestar]

thank you too kgun...i shall look into this as well...I truly need to strengthen my PHP coding as well...it is time...