Programming Forums - Is this method safe?

Programming Forums (http://www.programmingforums.org/forumindex.php)

- PHP (http://www.programmingforums.org/forum29.html)

- - Is this method safe? (http://www.programmingforums.org/showthread.php?t=11253)

TCStyle

Sep 4th, 2006 6:32 PM

Is this method safe?

So I coded a file upload system for my site. Only memebers are allowed to access it. I want to know if the following method is safe:

<?

if (!isset($_SESSION['id'])) {

die("You are not logged in.");

}

?>



html upload form here...

For those of you who are still unclear, I want to know if keeping the upload form in html (instead of echoing it via php) is safe?

Ooble

Sep 4th, 2006 6:36 PM

Check the ID. Cookies and sessions can be faked.

Xeoncross

Sep 5th, 2006 2:16 PM

How can you fake a session?
I thought they were stored on the server? Or do you mean fake the SID and not the data?

How would someone do that?!

Ooble

Sep 5th, 2006 3:17 PM

Sorry - kinda misread the question. I can't see a problem, but I'm no expert on sessions.

Arevos

Sep 5th, 2006 3:19 PM

Assuming the SIDs are chosen suitably, and I don't know of any reported flaws in PHP's default session handling, then SIDs are secure. Or, at least, secure enough that they are no longer the weakest link in the chain; guessing usernames and passwords is likely far easier than guessing a pseudorandomly generated, temporary SID.

So as far as I'm aware, your code is as safe as it can be, TCStyle.

jsilver608

Oct 20th, 2006 2:01 AM

The only way your code could be unsafe is if someone was able to guess your session ID (Arevos mentioned this as well).

also, if you are on a shared web-host, you may have issues with other people on that host being able to read your sessions.

All times are GMT -5. The time now is 12:59 AM.