Is this a safe use of Session Variables?

Question

I used $_SESSION[\'name\'] to handle data from page to page. I mainly used it to keep the user logged in between pages. Within every page, i check if $_SESSION[logged_in\']

Answer 1

Your code is vulnerable to session fixation and session hijacking attacks. See http://phpsec.org/projects/guide/4.html for more information.

As you build bigger, more involved applications, you will also want to be careful how you handle logging the user out and handling other session-related aspects, such as privilege escalation. Handling sessions and logins safely is a tricky beast.

Implementing secure authentication is hard. Unless you are doing it as an academic exercise, i would strongly recommend using the library provided by your framework, if you are lucky enough to have a good one.

You will also want to consider things such as the following:

• Do not allow the session id to be forced. [session fixation]
• When permissions or credentials are changed (e.g. because the user has now logged in or out) then immediately invalidate the session and start a fresh one.
• Provide a logout feature, and be sure to invalidate the session upon logout.
• Set the session cookie to HttpOnly -Preferably, require HTTPS and alo set the cookie to secure only.
• Consider restricting the session validity to include checking some other information that helps to match the user e.g. user-agent. [session hijacking]
• Always expire sessions after non-use and do not implement "keep me logged in" by reconnecting the user to their old http session.
• Ensure that all session-related data is destroyed when a session is invalidated, regardless of where it is stored. A new user coming along, may just happen to get assigned a session id that has been used previously. This new session must not have any access to session data that has been set previously against that session id.