$_SESSION issues - possible security hole?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I have built an application where users have to log in (the user data is
stored in MySQL). I have 3 levels of rights for users; 1-"normal" rights,
2-"admin" rights, and 3-"super" user rights. When a user logs in, I set the
$_SESSION['rights'] variable accordingly so I can reference it thru out the
site. I have around a dozen pages where the login session information and
the user rights piece work just fine. However, I'm creating an
administration page where admins have some functionality but super users
have all functionality and I've run into issues. I was using the session
rights variable in a number of different IF statements to display and during
a simple test I hit the "refresh" button on my browser and found that when I
did so it CHANGED my session rights to those of a different user!?!? I have
looked thru my code until I'm blue in the face and have even boiled the code
down to the simpest display possible, yet when I hit refresh, it still
changes the user and rights info (note all the other pages work fine).

I have been able to determine that there must be something in my USERS query
that is causing the issue. I changed the query to get data from a completely
different table and show it in a select list and hitting refresh does NOT
change the user or the user rights! So.....does this mean querying the very
table that lists users information (with data like "rights" and "user" in
it) somehow can change the $_SESSION variables?? That appears to be what's
going on, but I thought you had to explicitly assign the $_SESSION variables
before they could be changed. Help!!! I have included my code and the
database table structure below:

<?php

/*******************************************************************************

    Program is only available to admins and super users. This page
    allows for the adding/editing of user accounts and priveledges
    as well as allowing for application messages, application
    lockdown/shutdown, and standard parts administration.

********************************************************************************/

include ("php_header.inc");

if ($_SESSION['rights'] != "super")

    {

    header("location: landing.php");
    exit ();

    }

/******************  ADMINISTER USERS *********************/

$query1 = "select * from USERS order by user";
$result1 = mysql_query($query1) or die ("Couldn't select all users -
super");

include ("html_header.inc");

echo "

    <p>{$_SESSION['user']}, {$_SESSION['rights']}</p>\n
    <p><form action='edit_user.php' method='post'>Choose a user to edit:
<select name='user'>\n";

while ($row = mysql_fetch_array($result1, MYSQL_ASSOC))

    {

    extract($row);

    echo "

    <option value='$user'>$fname $lname - $user\n";

    }

echo "

    </select> <input type='submit' value='Edit User'></form></p>\n
    </body>\n
    </html>";

?>

and here is the included file:

<?php

/************************************************************************

This is the standard header for every page and should be
included after the PHP opening tag on each page. This program
ensures that all pages can only be accessed by users that are
legitimately logged on. This program also allows for
administratively disabling the application by super users. After
disabling, only superusers can make changes.

************************************************************************/

session_start();

include ("special_characters.inc");

/****************** AUTHORIZATION CHECK *********************/

if ($_SESSION['auth'] != "yes")

{

header ("location: index.php");
exit();

}

if ($_SESSION['rights'] != "super")

{

$query = "select * from APP_STATUS";
$result = mysql_query($query) or die ("Couldn't select APP_STATUS");
$app = mysql_fetch_array ($result,MYSQL_ASSOC);

if ($app['app_status'] == 2)

{

$msg = $app['app_message'];
die("$msg");

}

}

?>

my database table for the users looks like this:

Field Type
user varchar(20) PRIMARY KEY
pwd varchar(255)
fname varchar(20)
lname varchar(20)
email varchar(40)
rights varchar(20)
level varchar(20)
credentials text
admin varchar(20)

[Index of Archives]     [PHP Home]     [PHP Users]     [Postgresql Discussion]     [Kernel Newbies]     [Postgresql]     [Yosemite News]

  Powered by Linux