1

So my question is very basic.

When checking if a user is still logged in on any page, I'll use 

if (isset($_SESSION['user']) && $_SESSION['user'] == true) { CODE }

But, shouldn't I use a hashed value instead of a boolean value for the $_SESSION['user']? All the guides I find are using boolean values, but from my point of view that is a security leak, isn't it? People are talking about Session-Hjacking and Session-Fixation all the time, and that would be very easy if I just used boolean values for the user-session, woulnd't it? Or am I just mixing things up here?

Thank you

Improve this question
9
  • Hijacking a session doesn't somehow give you access to the session data. The data is still intact (unless you allow users to change it). Commented Feb 14, 2013 at 18:32
  • 4
    why? $_SESSION data exists only on the server and is not directly accessible/manipulable by a user unless your code allows them to. Commented Feb 14, 2013 at 18:32
  • But hijacking gives you access to data accessed by a session. So am I right that these kind of sessions are different to the PHPSESSID? Commented Feb 14, 2013 at 18:37
  • 4
    @JustBasti you're still confused about server-side and client-side. Try it for yourself. Start a session and look at the session cookie that is stored in your browser called PHPSESSID. All it is is a 32 bit string of hex characters. That's ALL the information that the hijacker gets unless your program reveals more to them since they will essentially be logged in as the original user. Commented Feb 14, 2013 at 18:42
  • 2
    @BackinaFlash Preparing for the worst is never a bad thing. Is it likely that someone is going to hack any particular server? No. But it is possible. Better safe than sorry. Commented Feb 14, 2013 at 18:43

1 Answer 1

Reset to default
2

I read two questions here. The first question, 'What is the best practice to determine if a user is logged in?" and the second question 'Is there a concern of Session-Hjacking and Session-Fixation?'

First question: Most web apps/cms I have worked with have a user object. There is nothing particular special about this object from a code perspective, its just an object representing the user. The currently logged in user has their user object stored in the session. $_SESSION['user']

In Drupal (and other platforms) the a function is used to return the currently logged in user, or False if the user is not logged in.

Example:

function user(){
 if( isset($_SESSION['user') and 
     is_object($_SESSION['user'] and 
     get_class($_SESSION['user']=='myUserClass')) ){

         return $_SESSION['user'];

     }else{
         return False;
      }
}

So in your example we see if ( user() ) { CODE } works because all object evaluate as True in an if clause.

Second Question: Session-Hjacking and Session-Fixation are not really concerns here. The client (a web browser) does not have access to the server's $_SESSION array. So in short, yes you are mixing things up here.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.