[PHP] Access control question
Quick question... I have a site where user's log in, they put their user name and password in a form and if they are verified against the database, session variables are created, $_SESSION['user']; $_SESSION['pass']; and they get sent to the next page by way of, header(Location: https://www.mysite.com/login/;); // not a real site On that page, and all other pages for which I want to control access, I then put a little access control script (actually, an include file) at the top of each page that checks to see that $_SESSION['user'] is present. If $_SESSION['user'] is *not* present, I send them back to the login page. If $_SESSION['user'] *is* present, they're granted access to the page. Here's the question: Is it simply enough to just check that $_SESSION['user'] is present, and therefore, by that alone assume the user has logged in and should be granted access? Or, should I be verifying the $_SESSION['user'] and $_SESSION['pass'] against the database on every page? The reason I ask is that an article (tutorial) on access control runs a script that hits the database every page. But, to me, that seems like a waste because simply having the $_SESSION['user'] present means they've already logged in. Am I missing something here? Thanks, as always! Jeff -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Access control question
Hi Jeff: On Fri, Jun 07, 2002 at 10:25:27AM -0500, Jeff Field wrote: Is it simply enough to just check that $_SESSION['user'] is present, and therefore, by that alone assume the user has logged in and should be granted access? Or, should I be verifying the $_SESSION['user'] and $_SESSION['pass'] against the database on every page? If you validate the user/pass before starting a session for the person, then the existence of the session itself proves the person has logged in. No? Passing/testing the password on each page is unnecessary and poses security risks. Disclaimer: I don't use PHP's session functions for sessions. What I do in my system is give everyone a session. All folks who haven't logged in are one user. Once they log in, my session database associates their UserID with their session. The UserID isn't checked on each page. When access to a particular page needs to be limited, I check their permission level (which is in another field of the session database) to ensure they have the privileges needed to perform the operation. Enjoy, --Dan -- PHP classes that make web design easier SQL Solution | Layout Solution | Form Solution sqlsolution.info | layoutsolution.info | formsolution.info T H E A N A L Y S I S A N D S O L U T I O N S C O M P A N Y 4015 7 Av #4AJ, Brooklyn NY v: 718-854-0335 f: 718-854-0409 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Access control question
You are also assuming that the session hasn't been hijacked. Other things you can do are store the user's UserAgent in a session var and check it on every page (session spoofer MIGHT be using a different browser), and do likewise for IP address. Although remember that AOL users will have problems with this, since their requests do not always originate from the same IP address. There is a class on the zend website, called Introduction to Classes or something, that has a nice security class you can use. But to answer your question, I don't think you need to check another session variable to see if they're logged in. If they have user_id session variable, then they have a session, and are logged in, afaict. You're really testing different elements of the same $_SESSION array, so the presence of any session var means that a session is established. Erik On Friday, June 7, 2002, at 11:25 AM, Jeff Field wrote: Quick question... I have a site where user's log in, they put their user name and password in a form and if they are verified against the database, session variables are created, $_SESSION['user']; $_SESSION['pass']; and they get sent to the next page by way of, header(Location: https://www.mysite.com/login/;); // not a real site On that page, and all other pages for which I want to control access, I then put a little access control script (actually, an include file) at the top of each page that checks to see that $_SESSION['user'] is present. If $_SESSION['user'] is *not* present, I send them back to the login page. If $_SESSION['user'] *is* present, they're granted access to the page. Here's the question: Is it simply enough to just check that $_SESSION['user'] is present, and therefore, by that alone assume the user has logged in and should be granted access? Or, should I be verifying the $_SESSION['user'] and $_SESSION['pass'] against the database on every page? The reason I ask is that an article (tutorial) on access control runs a script that hits the database every page. But, to me, that seems like a waste because simply having the $_SESSION['user'] present means they've already logged in. Am I missing something here? Thanks, as always! Jeff -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php Erik Price Web Developer Temp Media Lab, H.H. Brown [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Access control question - follow-up question
Your way to check for privileges sounds good. However, at my site, for this one area (basically, the customer's area) there's only one privilege; you either have access or you don't. So, I'm assuming my way is probably good enough for now. In regards to the presence of the session itself being good enough for verification, the reason I would check for the $_SESSION['user'] is that that variable means they are logged in, as opposed to merely having a session in use. I say that because, given that I may want to start a session for other uses, such as tracking a user's navigation through the website, then the presence of the session itself would not be good enough to know if they've logged in or not. In regards to Passing/testing the password on each page is unnecessary and poses security risks., I'm under the impression that when I create the user and password variables, the variables are only available in the session cookie on my own server, not in the cookie that is sent to the user to maintain sessions. The cookie sent to the user merely contains the session ID. Therefore, other than someone hijacking the session, I'm a little unclear as to the security risk. Have I got this right? Thanks! Jeff -Original Message- From: Analysis Solutions [mailto:[EMAIL PROTECTED]] Sent: Friday, June 07, 2002 10:42 AM To: PHP List Subject: Re: [PHP] Access control question Hi Jeff: On Fri, Jun 07, 2002 at 10:25:27AM -0500, Jeff Field wrote: Is it simply enough to just check that $_SESSION['user'] is present, and therefore, by that alone assume the user has logged in and should be granted access? Or, should I be verifying the $_SESSION['user'] and $_SESSION['pass'] against the database on every page? If you validate the user/pass before starting a session for the person, then the existence of the session itself proves the person has logged in. No? Passing/testing the password on each page is unnecessary and poses security risks. Disclaimer: I don't use PHP's session functions for sessions. What I do in my system is give everyone a session. All folks who haven't logged in are one user. Once they log in, my session database associates their UserID with their session. The UserID isn't checked on each page. When access to a particular page needs to be limited, I check their permission level (which is in another field of the session database) to ensure they have the privileges needed to perform the operation. Enjoy, --Dan -- PHP classes that make web design easier SQL Solution | Layout Solution | Form Solution sqlsolution.info | layoutsolution.info | formsolution.info T H E A N A L Y S I S A N D S O L U T I O N S C O M P A N Y 4015 7 Av #4AJ, Brooklyn NY v: 718-854-0335 f: 718-854-0409 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Access control question - follow-up question
On Fri, Jun 07, 2002 at 11:32:48AM -0500, Jeff Field wrote: In regards to Passing/testing the password on each page is unnecessary and poses security risks., I'm under the impression that when I create the user and password variables, the variables are only available in the session cookie on my own server, not in the cookie that is sent to the user to maintain sessions. The cookie sent to the user merely contains the session ID. Therefore, other than someone hijacking the session, I'm a little unclear as to the security risk. Have I got this right? A general rule: if something doesn't need to be stored, don't store it. This saves time and space. In the instance of passwords, storing them needlessly keeps sensitive information around. This poses a problem in the event your system gets compromised. There are lots of ways that can happen, both known and yet to be discovered and yet to be created. So, it's just safer not to do it. --Dan -- PHP classes that make web design easier SQL Solution | Layout Solution | Form Solution sqlsolution.info | layoutsolution.info | formsolution.info T H E A N A L Y S I S A N D S O L U T I O N S C O M P A N Y 4015 7 Av #4AJ, Brooklyn NY v: 718-854-0335 f: 718-854-0409 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Access control question - follow-up question
Absolutely right! I'm storing the password needlessly. I've got the user name and that's all I need for anything further. Thanks! Jeff -Original Message- From: Analysis Solutions [mailto:[EMAIL PROTECTED]] Sent: Friday, June 07, 2002 12:42 PM To: PHP List Subject: Re: [PHP] Access control question - follow-up question On Fri, Jun 07, 2002 at 11:32:48AM -0500, Jeff Field wrote: In regards to Passing/testing the password on each page is unnecessary and poses security risks., I'm under the impression that when I create the user and password variables, the variables are only available in the session cookie on my own server, not in the cookie that is sent to the user to maintain sessions. The cookie sent to the user merely contains the session ID. Therefore, other than someone hijacking the session, I'm a little unclear as to the security risk. Have I got this right? A general rule: if something doesn't need to be stored, don't store it. This saves time and space. In the instance of passwords, storing them needlessly keeps sensitive information around. This poses a problem in the event your system gets compromised. There are lots of ways that can happen, both known and yet to be discovered and yet to be created. So, it's just safer not to do it. --Dan -- PHP classes that make web design easier SQL Solution | Layout Solution | Form Solution sqlsolution.info | layoutsolution.info | formsolution.info T H E A N A L Y S I S A N D S O L U T I O N S C O M P A N Y 4015 7 Av #4AJ, Brooklyn NY v: 718-854-0335 f: 718-854-0409 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Access control question - follow-up question
On Friday, June 7, 2002, at 12:32 PM, Jeff Field wrote: I'm under the impression that when I create the user and password variables, the variables are only available in the session cookie on my own server, not in the cookie that is sent to the user to maintain sessions. The cookie sent to the user merely contains the session ID. Therefore, other than someone hijacking the session, I'm a little unclear as to the security risk. Have I got this right? Exactly. Unless they had access to the server itself, where the session data is stored in a temporary file. So there are two vulnerabilities -- server compromise and cookie spoofing. But don't forget that without SSL, someone watching your client's port (or your server's port) will see the password in plaintext and get through that way. Watching a port is about as easy as anything I can think of. So for true security you'll need SSL. Erik Erik Price Web Developer Temp Media Lab, H.H. Brown [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php