Programming Forums
User Name Password Register
 

RSS Feed
FORUM INDEX | TODAY'S POSTS | UNANSWERED THREADS | ADVANCED SEARCH

Reply
 
Thread Tools Display Modes
Old Sep 4th, 2006, 5:32 PM   #1
TCStyle
Programmer
 
Join Date: Jan 2005
Location: Albany, NY
Posts: 43
Rep Power: 0 TCStyle is on a distinguished road
Is this method safe?
So I coded a file upload system for my site. Only memebers are allowed to access it. I want to know if the following method is safe:

(Toggle Plain Text) 
<?
if (!isset($_SESSION['id'])) {
die("You are not logged in.");
}
?>

html upload form here...

For those of you who are still unclear, I want to know if keeping the upload form in html (instead of echoing it via php) is safe?
__________________
meh...
TCStyle is offline   Reply With Quote
Old Sep 4th, 2006, 5:36 PM   #2
Ooble
I eat cake for breakfast.
 
Ooble's Avatar
 
Join Date: Jul 2004
Location: In my box.
Posts: 4,434
Rep Power: 9 Ooble is on a distinguished road
Check the ID. Cookies and sessions can be faked.
__________________
Me :: You :: Them
Ooble is offline   Reply With Quote
Old Sep 5th, 2006, 1:16 PM   #3
Xeoncross
Newbie
 
Xeoncross's Avatar
 
Join Date: Aug 2006
Posts: 11
Rep Power: 0 Xeoncross is on a distinguished road
How can you fake a session?
I thought they were stored on the server? Or do you mean fake the SID and not the data?

How would someone do that?!
Xeoncross is offline   Reply With Quote
Old Sep 5th, 2006, 2:17 PM   #4
Ooble
I eat cake for breakfast.
 
Ooble's Avatar
 
Join Date: Jul 2004
Location: In my box.
Posts: 4,434
Rep Power: 9 Ooble is on a distinguished road
Sorry - kinda misread the question. I can't see a problem, but I'm no expert on sessions.
__________________
Me :: You :: Them
Ooble is offline   Reply With Quote
Old Sep 5th, 2006, 2:19 PM   #5
Arevos
Programming Guru
 
Arevos's Avatar
 
Join Date: Aug 2005
Location: England
Posts: 1,499
Rep Power: 5 Arevos is on a distinguished road
Assuming the SIDs are chosen suitably, and I don't know of any reported flaws in PHP's default session handling, then SIDs are secure. Or, at least, secure enough that they are no longer the weakest link in the chain; guessing usernames and passwords is likely far easier than guessing a pseudorandomly generated, temporary SID.

So as far as I'm aware, your code is as safe as it can be, TCStyle.
Arevos is offline   Reply With Quote
Old Oct 20th, 2006, 1:01 AM   #6
jsilver608
Newbie
 
Join Date: Oct 2006
Posts: 20
Rep Power: 0 jsilver608 is on a distinguished road
The only way your code could be unsafe is if someone was able to guess your session ID (Arevos mentioned this as well).

also, if you are on a shared web-host, you may have issues with other people on that host being able to read your sessions.
__________________
High Performance PHP
http://www.whenpenguinsattack.com
jsilver608 is offline   Reply With Quote
Reply

Bookmarks

« Previous Thread in Forum | Next Thread in Forum »

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
DiveLog.java tutorial help Arenlor Java 2 Apr 26th, 2006 10:11 AM
HTTP Status 405 - HTTP method POST is not supported by this URL hemanth.balaji Java 5 Mar 21st, 2006 2:48 AM
method doesn't recognize variable Krista Java 1 Dec 5th, 2005 5:40 PM
Median/Mode in arrays? {Need help} Java|Tera Java 27 Nov 29th, 2005 10:50 AM
Debug recursion method() pr0gm3r Java 3 Oct 11th, 2005 12:33 PM


Contact Us - DaniWeb IT Discussion Community - Privacy Statement - Top


DaniWeb IT Discussion Community
All times are GMT -5. The time now is 8:37 AM.

Powered by vBulletin® Version 3.7.0, Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Copyright ©2007 DaniWeb® LLC