> -----Message d'origine----- > De : olafurw@xxxxxxxxx [mailto:olafurw@xxxxxxxxx] De la part > de Ólafur Waage > Envoyé : lundi 9 avril 2007 14:40 > À : php-general@xxxxxxxxxxxxx > Objet : Session Authentication > > Lets say i have a login system. This system authenticates the > user via mysql, when the user is authenticated, i set a > session variable to let the system know the user is > authenticated. ie. $_SESSION["authenticated"] = true; > > Lets also say i know that's how the system works, that a > session variable within my browser is set to true. Could i do > this if i knew all this info and "authenticate" myself by > setting the variable from the client side? $_SESSION['variables'] are stored server side and can only be set during script execution, not by the browser. > If it is possible, what can i do to prevent this or increase security? > What is possible here is called session hijacking, imagine this scenario: You are an innocent tourist, and go into a cyber café to check your mail, let's assume when you authenticate to your mail system, it is not encrypted. The owner of the cyber café is sniffing all incoming, and outgoing data, and just happened to know that you logged in. The SESSION_ID that is stored in a cookie on your computer is what links you to your authenticated session on the server. So the owner manages to sniff that SESSION_ID, knowing you are still logged on, he goes to the same site you are on, and edits the cookie that was generated by that site, to have the same SESSION_ID as the one he sniffed over the network. The owner has now owned/hijacked your session and is authenticated as yourself. Depending on the logoff mechanism involved he may or maynot be able to continue using your session when you logoff. So, to conclude on how to optimize your security, your authentication system should be encrypted, as in log in using https:// . Hope this helps, P.S You can try this at home by opening your same siteon two different computers and editing the session cookie on the one your not authenticated on with the session_id from the one you are authenticated on. It's quite suprising how it just "logs in" without credentials ;) Regards, Tim -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
