Bypass Session Validations php

15
March 14, 2019, at 8:50 PM

Can Anyone bypass my Login page if they can bypass it how they well do it

<?php
session_start();
if(isset($_SESSION['login']) == "Owner" or isset($_SESSION['login']) == "admin"){
echo 'login In';
}
?>
Answer 1

Storing the login status in the session variable is certainly a decently secure thing to do, however, it's not sufficient all by itself. If someone was able to access the session tables, (which is apparently doable in a shared hosting environment) and find the session ID of someone who is logged in, they could hijack the session. So more security is needed. (Google "Session Hijacking" for more information on what it is and how it's done)

I'm no security expert, but a few things I've done include recording their IP address and Client data, and checking those on each page load. If they're suddenly coming from a different IP address or using a different browser, then I log them out right away. However, as @Barmar noted, mobile devices can change IP addresses during a session, so this is probably not a good practice.

It would also be important to be using a secure connection (https) over TLS. If not, a man-in-the-middle could simply watch the packets going back and forth, pick up the username and password, and log in for themselves.

READ ALSO
PHP Exec iptables

PHP Exec iptables

I would like exec iptables from PHP

19
Can`t parse site on php [duplicate]

Can`t parse site on php [duplicate]

This question already has an answer here:

49
Regular expression in bash or sed

Regular expression in bash or sed

I have a regular expression (PHP) to clean the string from file:

16