I just thought of something about securing sessions, and it's bugging me. So could someone help me figure this out?
Alright, let me explain how I think of it. (don't worry, I'll get to the point in a minute)
<?php
if(!isset($_SESSION['login'])) {
$_SESSION['login'] = false;
}
?>
So basicly, no matter what $_SESSION['login']
will always exist. Pretty neat? Maybe.
Okay, say you want a user to login. (getting closer to the point)
<?php
if($_SESSION['login'] === false)
{
if(isset($_POST['login-form']))
{
// execute login code . . .
// if the user had logged in successfully
if($success === true)
{
echo "Successfully logged in.";
$_SESSION['login'] = true;
$_SESSION['username'] = $_POST['username'];
// remember, I just wrote up an example,
// and everything would be filtered and sanitized
// if this were production code
}
}
}
?>
Okay, another thing how this would be setup. (almost there)
<?php
if($_SESSION['login'] === true)
{
// get database user information where username is $_SESSION['username'].
// also, the database table: users, would have unique usernames,
// they can't be the same.
}
?>
Okay, so you see the idea I have setup. But what happens if someone edits the the $_SESSION['login']
to true
? And then they change the $_SESSION['username']
to a username that they want? That means someone can hack any account they wanted. And nobody wants that if they are building an application that stores user passwords and important data.
So the question is, how can I prevent that? Because you can change cookies/sessions by going into developer-tools(chrome) and go into the console and change the cookies with javascript.
Should I make another form that should double check? But that's the point, so it'd be nice if one of you could help me with figuring this question out.