StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

POSecurity with PHP Sessions
text
Body
copied!<p>I know this has been asked billions of times, but I'm super paranoid/OCD about the security of my coding. I'm working on a little project. The session data will only contain:</p> <blockquote> <p><b>user_id </b> 1<br /> <b>user_name</b> MyUsername<br /> <b>logged_in</b> true<br /> <b>csrf_token</b> 87cc51ee94178df79cccce2aebc45d53</p> </blockquote> <p>Here's my code. Is it <b>secure</b> enough to use on a small CMS?</p> <pre><code>session_start(); ini_set('session.cookie_httponly', 'On'); ini_set('session.cookie_secure', 'On'); ini_set('session.use_cookies', 'On'); ini_set('session.use_only_cookies', 'On'); $rand = rand(1, 10); if ($rand != 1 || $rand != 3 || $rand != 5) session_regenerate_id(); $user_ip = md5($_SERVER['REMOTE_ADDR']); $user_agent = md5($_SERVER['HTTP_USER_AGENT']); if (isset($_SESSION['user_ip'], $_SESSION['user_agent'])) { $session_user_ip = $_SESSION['user_ip']; $session_user_agent = $_SESSION['user_agent']; if ($session_user_ip != $user_ip || $session_user_agent != $user_agent) { unset($_SESSION); session_destroy(); die('Error'); } } else { $_SESSION['user_ip'] = $user_ip; $_SESSION['user_agent'] = $user_agent; } </code></pre> <p>Then to call the sessions:</p> <pre><code>$_SESSION['user_id'] = 1; $_SESSION['user_name'] = 'MyUsername'; // etc. </code></pre> <p><i>Extra Info</i> <br />I'll be using the session data to check if user has permissions to do something. Example: <code>if ( user_has_perm( $_SESSION['user_id'] ) )</code></p> <p>Thanks for your help in advance.</p>

Querying!

Guidance

An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload