Using Session Identifier as security measure

Security issues related to php and mysql usage. How to make your code secure? Security measures and configurations? It's all in here!

Moderators: macek, egami, gesf

aps
New php-forum User
New php-forum User
Posts: 4
Joined: Thu Nov 04, 2004 2:55 pm

Using Session Identifier as security measure

Postby aps » Thu Nov 04, 2004 4:27 pm

Could anyone comment on whether the following technique is safe/reasonable for security?
I require users to login. At the login, they enter their username and pass. A query is run against a MySQL users table. If there is a match to that username and pass, I set a SESSION variable to a particular word. Then on the rest of my code, that is, on the code for the rest of my pages, I check to see whether that SESSION variable is set and equal to that predetermined word. If it is, code executes. If it isn't, code doesn't execute, and sends user back to login page.
It seems to work just fine, but was wondering whether this is really a safe way to do it.
Thanks in advance.
-APS

User avatar
swirlee
Moderator
Moderator
Posts: 2272
Joined: Sat Jul 05, 2003 1:18 pm
Location: A bunk in the back
Contact:

Postby swirlee » Thu Nov 04, 2004 6:35 pm

It's a pretty typical way to do it. However, rather than using a particular word (which could leave you vulnerable to a dictionary attack), an MD5 has of the password (or the password plus some other data) is usually used.

aps
New php-forum User
New php-forum User
Posts: 4
Joined: Thu Nov 04, 2004 2:55 pm

Checking MD5 password in SESSION

Postby aps » Fri Nov 05, 2004 2:50 am

Thanks. I like that idea. I looked up the MD5 function...very cool...wasn't even aware that it existed.

The reason I had considered using a standard set word, rather than the user's specific password, was that I didn't want to have to query the users database every time for every page to confirm them.

Am I correct in assuming that the password approach you are speaking of would then run a quick query at the beginning of each page within the app to test whether a record exisits for that user and password? Or is there another approach?

Am I silly to think that the extra processing (in MySQL) would slow the application down?

Thanks for helping me to think this through.
-APS


Return to “PHP & MySQL Security”

Who is online

Users browsing this forum: No registered users and 1 guest

cron