Relying strictly on the $_SESSION
global is not very secure. There are applications capable of "hijacking" sessions and manipulating SESSION
ID
s which are stored client-side. Take a look at FireSheep.
What I would recommend would be to implement some type of extra level of security. The extra level of security could include whitelisting IP Addresses, or a short expiry time on your SESSION
s.
Also see is storing data in php session insecure (it's not the same question but similar).
White-listing IP Addresses:
As mentioned in white list ip address for admin access, you could keep a record of the IP Addresses that have permission to access your page. If the IP Address does not fall in the allowed addresses, access to the page is denied. You can store the addresses in a database or hardcode them into the script (I'd stay away from hardcoding).
Here is a modified example taken from zerkms in the link above, incorporating your SESSION
test:
$whitelist = array('192.168.0.1', '192.168.0.2');
if ($_SESSION['is_admin'] !== true || !in_array($_SERVER['REMOTE_ADDR'], $whitelist)) {
//Admin denied.
header('Location: denied.php'); exit();
}
echo "You're an admin!"
Shorten Session Expiry Time:
I'd recommend reading Gumbo's answer here.
More reading material: