1

I use a user management script with Sessions

the session object $loggedInUser contains these properties:

$loggedInUser->email
$loggedInUser->user_id 
$loggedInUser->hash_pw 
$loggedInUser->clean_username

the users are able to submit from 'form.php' data through POST to the processing script 'process.php'

'form.php' has access to the before mentioned Session object. This is the Cookie which is currently submitted at sending the form:

PHPSESSID=7ec81164c9fb2cdc4c6f47a00bc2ae50

Question:

How do I secure the 'process.php' to savely allow only logged-in users to submit data?

*As far as i know, 'process.php' is only accessed by my server and not the user, therefor i have to submit the Session Object either through Cookie, Get or Post which are all easy to tamper with, is that right?*

In which way, if appropriate, would you use the submitted Cookie or check the validation?

ATM its easy possible, knowing the path to the 'process.php', to "fake" a submit without logged-in Status.

Thank you for some words of wisdom :) from experienced programmers.

Improve this question
1
  • would it be advisable to send the form to PHP_SELF where i can wrap the INSERT into a conditional based on SESSIONS? Commented Feb 23, 2012 at 23:37

1 Answer 1

Reset to default
2

Store $loggedInUser in session and check $_SESSION['loggedInUser']->isLoggedIn() (or however you normally determine if a user is logged in) in process.php.

Attackers can spoof the session_id, but not its contents. https://www.owasp.org/index.php/Session_fixation

Improve this answer
Sign up to request clarification or add additional context in comments.

8 Comments

However you probably shouldnt be storing the password hash in the session, only benign data like the username/userid.
But how is the Session Object available at the process.php? The user is not accessing this file with his browsers, the request is made from my server's file form.php. Do i understand something wrong here? i thought the only way to make the full SESSIONobject available is either through COOKIE,POST,GET or sending the form to itself !?
@Email You said the User submits form.php to process.php. I assumed you had a form with action="process.php". Dump $_SESSION in process.php and find out for yourself.
@prodigitalson thx 4 the tip, i am just learning, your advise helps me alot.
@Mike yes that is correct. is it that process.php has access to the SESSION object (not Cookie/GET/POST sent) too?
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.