Board index   FAQ   Search  
Register  Login
Board index php forum :: PHP and MySQL Security PHP & MySQL Security

Using Session Identifier as security measure

Security issues related to php and mysql usage. How to make your code secure? Security measures and configurations? It's all in here!

Moderators: macek, egami, gesf

Using Session Identifier as security measure

Postby aps » Thu Nov 04, 2004 4:27 pm

Could anyone comment on whether the following technique is safe/reasonable for security?
I require users to login. At the login, they enter their username and pass. A query is run against a MySQL users table. If there is a match to that username and pass, I set a SESSION variable to a particular word. Then on the rest of my code, that is, on the code for the rest of my pages, I check to see whether that SESSION variable is set and equal to that predetermined word. If it is, code executes. If it isn't, code doesn't execute, and sends user back to login page.
It seems to work just fine, but was wondering whether this is really a safe way to do it.
Thanks in advance.
-APS
aps
New php-forum User
New php-forum User
 
Posts: 4
Joined: Thu Nov 04, 2004 2:55 pm

Postby swirlee » Thu Nov 04, 2004 6:35 pm

It's a pretty typical way to do it. However, rather than using a particular word (which could leave you vulnerable to a dictionary attack), an MD5 has of the password (or the password plus some other data) is usually used.
User avatar
swirlee
Moderator
Moderator
 
Posts: 2272
Joined: Sat Jul 05, 2003 1:18 pm
Location: A bunk in the back

Checking MD5 password in SESSION

Postby aps » Fri Nov 05, 2004 2:50 am

Thanks. I like that idea. I looked up the MD5 function...very cool...wasn't even aware that it existed.

The reason I had considered using a standard set word, rather than the user's specific password, was that I didn't want to have to query the users database every time for every page to confirm them.

Am I correct in assuming that the password approach you are speaking of would then run a quick query at the beginning of each page within the app to test whether a record exisits for that user and password? Or is there another approach?

Am I silly to think that the extra processing (in MySQL) would slow the application down?

Thanks for helping me to think this through.
-APS
aps
New php-forum User
New php-forum User
 
Posts: 4
Joined: Thu Nov 04, 2004 2:55 pm


Return to PHP & MySQL Security

Who is online

Users browsing this forum: No registered users and 1 guest

Sponsored by Sitebuilder Web hosting and Traduzioni Italiano Rumeno and antispam for cPanel.

cron