WebApp Sec mailing list archives
Re: Correct Session Authentication
From: Santiago Rocandio <srocandio () adinet com uy>
Date: Sat, 29 Jul 2006 15:22:34 -0300
"Every page that a user needs to be authenticated to see checks to see that the user id stored in the session is greater than 0, if not the user is classed as not authorised as 0 is not a valid user id."
If your application use user rights levels, don't forget to check that in every .php page too. Becouse if you only check that session is grater than 0, an authenticated user with right level 1 can get a url that only a user with right level 2 should see.
Santiago. ___/\/\/\/\/\/\/\/\/\/\(°°) PD: take a look of... http://www.owasp.org xbennx () hotmail co uk wrote:
I've been developing a shopping cart for my friends company and have just started using sessions to authenticate people. After reading many tutorials on the internet about sessions and PHP I coded a login page. I keep hearing about session id's but all the tutorials I read didn't mention them. When a user logs on, the username and password are sent via SSL and the md5 hash is then checked against a hash stored in database. If the credentials are found in the database, the users id is return and stored in a session. If the credentials are not found this session value is 0. Every page that a user needs to be authenticated to see checks to see that the user id stored in the session is greater than 0, if not the user is classed as not authorised as 0 is not a valid user id.Is this method secure or can it be easily bypassed?Another thing I was wondering is where are sessions values actually stored? I've read that they're stored in cookies but I always thought there was a seperate function in php to create cookies? Sorry this is so long, any help will be much appreciated. Thanks ------------------------------------------------------------------------- Sponsored by: WatchfireAppScan 6.5 is now available! New features for Web Services Testing, Advanced Automated Capabilities for Penetration Testers, PCI Compliance Reporting, Token Analysis, Authentication testing, Automated JavaScript execution and much more. Download a Free Trial of AppScan today!https://www.watchfire.com/securearea/appscancamp.aspx?id=70150000000CYkc -------------------------------------------------------------------------
------------------------------------------------------------------------- Sponsored by: WatchfireAppScan 6.5 is now available! New features for Web Services Testing, Advanced Automated Capabilities for Penetration Testers, PCI Compliance Reporting, Token Analysis, Authentication testing, Automated JavaScript execution and much more. Download a Free Trial of AppScan today!
https://www.watchfire.com/securearea/appscancamp.aspx?id=70150000000CYkc -------------------------------------------------------------------------
Current thread:
- Correct Session Authentication xbennx (Jul 29)
- Re: Correct Session Authentication Siim Põder (Jul 29)
- Re: Correct Session Authentication Balazs Attila-Mihaly (Cd-MaN) (Jul 29)
- Re: Correct Session Authentication Dean H. Saxe (Jul 30)
- Re: Correct Session Authentication Santiago Rocandio (Jul 29)