1

I have a session that I gave to users that has matching password = stored password, like a simple login system :

// Checks Password and Username
if ($pSys->checkPassword($AccountData['password'], $StoredData['password'])) {
    $_SESSION['login'] = true;
}

The question is: is this secure enough?

// put this on every header page that needs to be loggedin.
function loginCheck(){
    if ( empty( $_SESSION['login'] )) {
        header( 'location:index.php' );
        die();
    }
}

Is there a difference between die() and exit()? Second, some say that I should add session_regenerate_id()? (Is that an overkill?) Anyway the real question is said above.

addon*

I have read PHP Session Security but it seems it doesn't match my problem here (that link is just to general).

Here is the checkPassword() method

function checkPassword($password, $storedpassword) {
    if($password == $storedpassword){
        return true;            
    }
}
Improve this question
3
  • 1
    is there a diffrence between die() empty() ? Comparing die() and empty() doesn't make sense. That said, die is equivalent to exit; Commented Jul 26, 2010 at 18:07
  • sorry i mean exit :) ive edit that one George, thanks. Commented Jul 26, 2010 at 18:08
  • 1
    I figured as much. If you check the documentation for die, you'll notice that it points to exit. php.net/manual/en/function.die.php Commented Jul 26, 2010 at 18:09

3 Answers 3

Reset to default
3

Answering the first part: empty and die are not comparable:

  • empty is to check if a variable does not exists or has a value equal to false (see also this type comparison table).
  • die is an alias of exit and is used to immediately abort the execution of the current script with an optional message.

Now to your authentication example: Yes, you should use session_regenerate_id to generate a new session ID and revoke the old session ID by setting the optional parameter for session_regenerate_id to true:

if (!sizeof($ErrorAccount)) { // Checks Password and Username
    session_regenerate_id(true);
    $_SESSION['login'] = true;
}

The purpose of session_regenerate_id is to avoid session fixation attacks. This will not be necessary if the server only allows session ids to be sent via cookies, but since PHP by default allows them in URL, you're strongly recommended to regenerate the id.

Improve this answer
Sign up to request clarification or add additional context in comments.

8 Comments

i mean die and exit, ive just edit it, thanks gumbo, you are always great on answering questions, so using session_regenerate_id does make effect then .. hmm is that just enough ?
Please explain the need for session_regenerate_id It would be quite useful for the answer.
how about the logincheck function is that just good ? no need to add things ?
@Adam Ramadhan: That depends on in what cases $ErrorAccount is filled. How does the authentication process look like?
@ledorfier It's not about disallowing cookies in the URL, but rather using a cookie to hold the session id instead of placing it in the URL. You'd want to do both. Depending on your security needs, that may not be enough. This page in the php manual gives a brief explanation and links to a white paper (PDF) which talks about session fixation and compares it to session hijacking: php.net/manual/en/session.security.php
|
1

Since you are looking for answers about security, also don't keep the stored password in plain text. At the very least, salt and hash your passwords, then store the hash. Rehash and compare hashes, not plain text.

Improve this answer

Comments

1

You could added a token (hash) to the form and then validate the token to make sure that the token which was submitted via the form is still valid. This helps to prevent CSRF attacks.

You could also store the IP address and browser together with the token in a database for additional validation, however you need to be aware that some ISP's change the clients IP address fairly often and could cause the validation to fail incorrectly.

More Info

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.