Geek asks and answers

Is Isset ($ _ SESSION ['admin']) a dangerous way to grant access?

If (for the sake of argument) 'admin-access' was provided in php with:

if (isset($_SESSION['admin']))  // this session would be set
{ // grant access; }            // after a successful login
else { //redirect ;}

Would it be especially easy to get around and fake if you knew what the name of the session is (in this case, admin)?

In other words, can someone easily fake $ _SESSION if all the script calls require the session to be “set up"?

+3
source share
2 answers

Use is isset()not bad for security. It depends on your logic, how you use it. Well, if you not only check isset(), but also its value.

Example:

if( isset($_SESSION['admin']) && $_SESSION['admin'] == true ) { 
  // grant access
} else { 
  //redirect 
}

Or something like this:

if( isset($_SESSION['admin']) && $_SESSION['admin'] == '1' ) { 
  // grant access
} else { 
  //redirect 
}
+4
source

, , , :

class auth {

    protected $userID;
    protected $password;
    protected $username;
    protected $remember;
    protected $userType;

    public function checkAuth($username,$password,$remember=0) {
        global $db;

        $this->password = sha1($password);
        $this->username = strtolower($username);
        $this->remember = $remember;

        $sth = $db->prepare("SELECT `id`,`username`,`password`,`type` FROM `user` WHERE `username` = :username AND `active` = '1' LIMIT 1");
        $sth->execute(array(
            ':username' => $this->username
        ));
        $result = $sth->fetchAll();
        $this->userType = $result[0]['type'];

        if (@$result[0]['password'] == $this->password) {
            $this->userID = $result[0]['id'];
            $this->makeLogin();
            return true;
        } else {
            return false;
            exit;
        }
    }

    private function makeLogin() {
        $securityInformation = $this->username . '|-|' . $this->password . '|-|' . $this->userID . '|-|' . $this->userType;
        $hash = $this->encode($securityInformation);
        if ($this->remember) {
            setcookie('qdata',$hash,time()+604800,'/');
        } else {
            $_SESSION['qdata'] = $hash;
        }
        $this->updateStats();
    }

    public function isLogin() {
        global $db, $ua, $cache;

        $data = $this->getUserInfo();
        if ($data) {

            $sth = $db->prepare('SELECT `password`,`last_login_ip` FROM `user` WHERE `id` = :ID LIMIT 1');
            $sth->execute(array(
                ':ID' => $data['userID']
            ));

            $result = $sth->fetchAll();
            if ( ($result[0]['password'] == $data['password']) AND ($result[0]['last_login_ip'] == $ua->getIP()) ) {
                return true;
            } else {
                return false;
            }

        }
    }

    public function logout() {
        if (@isset($_COOKIE['qdata'])) {
            setcookie('qdata','',time()-200, '/');
        } 
        if (@isset($_SESSION['qdata'])) {
            unset($_SESSION['qdata']);
        }
    }

    private function parseHash($hash) {
        $userData = array();
        list($userData['username'],$userData['password'],$userData['userID'],$userData['userType']) = explode('|-|',$this->decode($hash));
        return $userData;
    }

    public function getUserInfo() {
        if (@isset($_COOKIE['qdata'])) {
            $data = $this->parseHash($_COOKIE['qdata']);
            return $data; 
        } elseif (@isset($_SESSION['qdata'])) {
            $data = $this->parseHash($_SESSION['qdata']);
            return $data;
        } else {
            return false;
        }
    }

    private function encode($str) {
        $chr = '';
        $prt = '';
        for($i=0;$i < strlen($str);$i++) {
            $prt = (chr(ord(substr($str,$i,1)) + 3)) . chr(ord(substr($str,$i,1)) + 2);
            $chr =  $prt . $chr;
        }
        return str_rot13($chr);
    }

    private function decode($str) {
        $chr = '';
        $prt = '';
        $str = str_rot13($str);
        for($i=0;$i < strlen($str);$i++) {
            if($i % 2 == 0) {
                $prt = (chr(ord(substr($str,$i,1)) - 3));
                $chr = $prt . $chr;
            }
        }
        return $chr;    
    }
}

, , , , .

0

More articles:


All Articles