3

When having user login to the site I need to somehow store the logged in user id so that my site can generate different content for different users.

Is it secure to save a user's id in a $_SESSION[] variable?

Is it possible for a user to change the $_SESSION[] data and pretend to be another user?

I use the id to check which data I should fetch from the database and to see which permissions the user has.

Sharlike
  • 1,789
  • 2
  • 19
  • 30
Oskar Persson
  • 6,605
  • 15
  • 63
  • 124
  • 3
    It's only possible if another user is able to get the other user's session ID. So if you plan to store the session ID's in a database, you should hash or encrypt them. – Kermit Jan 08 '13 at 15:06
  • I would hash it so if somebody get that information they cannot pretened to be another user (they could get the one saved in SESSION but will be hard to change it to another) – Skatox Jan 08 '13 at 15:07
  • It's not possible for a user to change session data, it is possible for a user to hijack the session id and pretend to be the user associated with that session – Crisp Jan 08 '13 at 15:08
  • it's not a bad idea to store user IP and browser version on logon and compare it every time – Peter Jan 08 '13 at 15:09
  • 1
    @PeterSzymkowski It depends on your users, actually. Many ISPs will result in their users having different outbound IP addresses on separate requests. Relying on an IP for session security is usually not a good idea. Also doesn't stop anyone who is squatting on the same network. – Colin M Jan 08 '13 at 15:11
  • I'm not going to store the session data in my database. I just want to save the userid when a user login. This lets me for example check when a user goes to another user's own page, I can see if it's the same user or not and I can activate or deactivate a settings page for the user. – Oskar Persson Jan 08 '13 at 15:12
  • @Oskwish Just save the user_id in the `$_SESSION`. It can't be changed by the end user. While session hijacking is entirely possible, there's nothing you can do short of writing your own session layer in PHP (which, depending on the scale of this application, may be worth while), since it's just the default implementation of sessions that is flawed. – Colin M Jan 08 '13 at 15:13
  • Then as long as you secure the session data (outside web root), and take appropriate measures to mitigate session hi-jacking, you should be fine, users can't change the data stored in a session. Recommended reading -> https://www.owasp.org/index.php/Session_Management_Cheat_Sheet – Crisp Jan 08 '13 at 15:14
  • Let's say that I in the future makes two different types of accounts. One free and one paying. Then I want to use the id stored in a session variable to see which content that should be displayed. I can't use sessions if other users can enter their own session data. – Oskar Persson Jan 08 '13 at 15:15

1 Answers1

5

Best and accepted practice is to save the user id in the session.

The session is by default stored in /tmp as a file. It is not view able by the end user unless you have security issues such as directory traversal vulnerabilities. Most applications use $_SESSION as you are. If there where a wide spread weakness then major projects would be doing things differently. You don't have to worry about server-side Session value being obtained through a client-side exploit. Also keep in mind the simplicity of using the session as well. It makes data access to user specific data that you need to access constantly, standard and consistent throughout your application.

Techie
  • 44,706
  • 42
  • 157
  • 243
  • So a simple way to save the data I want to save that is secure, seems great! :) – Oskar Persson Jan 08 '13 at 15:34
  • 1
    +1. The whole point of the `$_SESSION` system is to store this kind of data. It's the way everyone else does it, and it's what you are supposed to do. There are some caveats to be aware of (eg `/tmp` may be accessible to other site owners on a shared host, if the hosting company has been careless with their security), but in general `$_SESSION` is as safe and secure as anything else you could think of using. If you're really worried about it, use an extension like Suhosin that encrypts session data in the background (many hosting companies use Suhosin by default anyway). – SDC Jan 08 '13 at 15:47