Session security

[phpgramma]

I'm not new to programming, but I am fairly new to security, so any input is very helpful.

I have a database/site that allows permissions for each different user type and each user is declared a certain type. For ease of use, as well as keeping the number of MySQL queries to a minimum for server load, I want to use $_SESSION variables. But, does this pose a security risk? Can people hack session vars and make their own permissions?

What would be the best way to secure the permissions?

Thanks,
J

 

[Olavxxx]

unless you use SID in the hrefs, it's not *very* simple to hijack a session.

Use encrypted login, etc. and also remember to use striptags, etc. on all variables, before using them in the database.

Olav Alexander Mjelde

http://www.volvo-power.net

Admin & Webmaster

 

[phpgramma]

how would you use/perform an encrypted login?

and striptags... that takes out possible code that people may use to hack in?

 

[Olavxxx]

for security, you can encrypt passwords.
you can also use httpS, SSL.. (your need an dedicated port and ssl set up by hosting)

striptags removes html, javascript, etc.
it's very important if it goes to db, to use striptags.

you might also need to escape quotes, if its not set up in the hosting to do so.

Olav Alexander Mjelde

http://www.volvo-power.net

Admin & Webmaster

 

[phpgramma]

i see. I'll definitely do that.

Thanks!