开发者

PHP sessions; How should I solve this big security problem?

问答 作者:

I am fairly new to sessions.

I have a classifieds website, and users may chose to "EDIT" their classifieds.

All they have to enter is a password which they chose when creating the classified.

In the "edit.php" page, if the password is correct, the classified details show up. There is a picture upload tool, which reloads the page but uploads a picture at the same time, and previews to the user.

The problem is that when the pic is uploaded, I don't want the page to ask for password again. (this because the page reloads) Not so nice if password was required for every pic upload开发者_StackOverflow.

So I have set a session variable like this:

 if($pass==$row['pass']){ $_SESSION['correct_pass']=1; }

then in edit.php on reload, I check against this condition:

 if($pass==$row['pass'] || $_SESSION['correct_pass']==1){
    EDIT AD HERE
 }

The problem (BIG PROBLEM) is that once the user enters a correct password, the SESSION['correct_pass'] is created and set to 1.

After this, the user may click "back" on browser and enter another classifieds ID nr in the URL, and the PHP Session will think the password is still okay.

So in other words, one might change other peoples classified if you figure this out.

How should solve this?

If you need more input let me know...

Below are a few lines of code which further describes edit.php file (not tested):

//FIRST VISIT TO "EDIT.PHP?ad_id=ID_OF_CLASSIFIED_HERE"
if($todo==0){
  //User is shown 2 radios, and a password form, and choses either to remove classified, or change classified
}

//REMOVE CLASSIFIED
if($todo==1){
   //User has chosen to remove a classified
    if($pass==$row['pass']){ 
        //DELETE CLASSIFIED
    }
    if($pass!=$row['pass']){
        //SHOW WRONG PASSWORD WARNING
    }
 }

 if($todo==2){
   //User has chosen to change a classified
   if($pass==$row['pass'] || $_SESSION['correct_pass']==1){
        if(!isset($_SESSION['correct_pass'])){
            $_SESSION['correct_pass']=1;
        }
    //EDIT AD HERE
   }
   else {
    //SHOW WRONG PASSWORD WARNING
   }
 }

Thanks

Instead of storing a flag whether the user has entered a correct password or not, store a hash of the password in the session. Then when they try and edit a classified, compare the hash of the password in the session with the hash of the password used to create the classified.

Salt the password with the userid (if you have one), and that should protect against collisions of shitty passwords.

Let me suggest one possible approach to such kind of proplems.

You may generate some long random string (uploadId), remember it on server side (in database / session) and pass as additional request parameter in hidden input element.

Then, when image is uploaded, you may compare these values and check, whether any image was already uploaded with this "uploadId". If that's the first time image with this uploadId comes, then you should remember on server-side, that this uploadId was already used once, and accept upload.

Already used uploadId values may be removed after some timeout / after user logout.

Why not just store a list of the items they are authorized for such as:

$_SESSION['authorizedPages']['pageID'];



if (isset($_SESSION['authorizedPages']['pageID']) == false) 
{
    echo loginForm;
}
else
{
    echo editForm;
}

继续阅读:authenticationphpsecuritysession

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9