PHP sessions and authorization

O

Ockonal2013-11-21 20:33:44

PHP

Ockonal, 2013-11-21 20:33:44

Hello, I made authorization in PHP.
The following code is included at the beginning of each file:

session_start();
session_regenerate_id();

Now I want to save the user id in the session and check in the future: if this variable is set, then the user is authorized and you can access the database using this id.
How safe is this behavior? Is it possible somehow on the client to "transfer" another user's id to the session?

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

A

Alexey, 2013-11-21
@Ockonal

The session is a hash that is stored in the user's cookies, when the user accesses the script, PHP checks the hash and takes the session data from the file.
In general, the answer is: safe.
But that's why you're doing session_regenerate_id(); not clear, it is not needed.

A

Alexander Wolf, 2013-11-21
@mannaro

Yes, it is safe because
But, I advise you to check the user's IP in order to at least protect yourself a little from session spoofing.
And yes, session_regenerate_id();it's not necessary at all.

session_start();
$ip = $_SESSION['userIP'];

if (!$ip) {
    $_SESSION['userIP'] = $_SERVER['REMOTE_ADDR'];
} elseif ($ip != $_SERVER['REMOTE_ADDR']) {
    session_destroy();
    session_start();
}