Welcome Guest, Not a member yet? Register   Sign In
Is it safe to use sessions for user validation?
#1

(This post was last modified: 06-16-2017, 03:31 PM by ronaldv.)

I have a website with user registration & login. On login, after username and password are validated, I create a session like this:

PHP Code:
$this->session->set_userdata('user_id'$user->id); 

and then in Controllers and Modals I use this data to validate or identify users:

PHP Code:
$user_id $this->session->userdata('user_id');

if (
$user_id == '') {
    // user has not logged in and shouldn't have access to user-area pages.  
 
   ...
}

$query "SELECT * FROM users WHERE user_id='" $user_id "' ..."

Is this method safe or good practice? Is it possible for malicious users to manipulate the session data?
Reply
#2

Your query is not safe
God Bless CI Contributors Smile
Reply
#3

(06-16-2017, 03:19 PM)ronaldv Wrote: I have a website with user registration & login. On login, after username and password are validated, I create a session like this:

PHP Code:
$this->session->set_userdata('user_id'$user->id); 

and then in Controllers and Modals I use this data to validate or identify users:

PHP Code:
$user_id $this->session->userdata('user_id');

if (
$user_id == '') {
    // user has not logged in and shouldn't have access to user-area pages.  
 
   ...
}

$query "SELECT * FROM users WHERE user_id='" $user_id "' ..."

Is this method safe or good practice? Is it possible for malicious users to manipulate the session data?


There is so much to think about when authenticating users, that you are better off using somebody else's library if security matters. Depending on how you'e configured sessions, and who has access to the server, there is a small chance that somebody would be able to alter the session data. In your particular code, what if the value of user_id was changed to:
PHP Code:
$user_id "1 OR user_id = 2 OR user_id = 3"


If you're like a lot of people, your admin user might be user ID 1, am I right? The possibilities are endless though, as you've not escaped the query at all.

I like to use the session only for a session ID, and store that session ID in the user's database row. If CI says you have a valid session, and it matches the session ID of the user, then you can perform further queries to get other data you may need.

If you don't want to do a bunch or work, or use an existing authentication library, consider at least type casting $user_id, like this:

PHP Code:
// Always an integer
$user_id = (int) $user_id

And also learn how to write safe queries in CI:


PHP Code:
$sql 'SELECT * from users where user_id = ?';
$query $this->db->query$sql, [ $user_id ] ); 
Reply
#4

Read this article:

Implementing Secure User Authentication in PHP Applications with Long-Term Persistence (Login with "Remember Me" Cookies)
What did you Try? What did you Get? What did you Expect?

Joined CodeIgniter Community 2009.  ( Skype: insitfx )
Reply
#5

As others have pointed out, your handling of input data and using it in a query is not "robust". OK, since you don't show that code I'll give you the benefit of the doubt.

Session data does have some vulnerability through cookie hijacking. It is a complex subject. OWAP does a much better job of explaining the pit falls than I could - read this.
Reply
#6

Thanks for all your answers!

In my query example, $user_id is not user input, but a value taken from the session, which was added there from a query that takes user Ids (which are always integers).

My fear is that an attacker would be able to change the session data and impersonate other users, e.g. changing his ID (e.g. "201") to 1, 2, 3, ... 100000 and thus causing a lot of damage. Would something like that be possible?

@InsiteFX long-term persistence is a nice-to-have feature, but for now, there are other things to be done Wink
Reply




Theme © iAndrew 2016 - Forum software by © MyBB