cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Exit
search
  • Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
0
Upvote

How secure is login with session variables?

RichardODreamweaver
Engaged ,
Apr 03, 2007 Apr 03, 2007
I'm using email address as primary key and propogating $MM_Username on login with user authentication.

I've also obviously got "Password and $MM_UserGroup.

How secure is this sytem against hacking?

I know it doesn't appear in the address bar but is it possible to alter session variables using code in the address bar or any other way?

I've set up UserGroups for new registrations that only allows own account viewing (page restrictions) and I don't want anyone else under data protection act (unless specified) to be able to access other records.

Thanks
TOPICS
Server side applications
323
Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines

correct answers 1 Correct answer

Newsgroup_User
LEGEND , Apr 03, 2007 Apr 03, 2007
"RichardODreamweaver" <webforumsuser@macromedia.com> wrote in message
news:eutk47$gqa$1@forums.macromedia.com...
> Thanks for this Lionstone - I feel much happier.
>
> The validation code is in the index page with page restrictions on
> everything
> else other than login failed.
>
> One concern is your point on https. I'm running a php site on http and
> don't
> know if it's possible to convert to https
>
> I can only rely now on our hosting provider!
>

The server-side scripting you use does...
Translate
replies 3 Replies 3
latest latest Jump to latest reply
Newsgroup_User
LEGEND ,
Apr 03, 2007 Apr 03, 2007
"RichardODreamweaver" <webforumsuser@macromedia.com> wrote in message
news:eutfnq$bcs$1@forums.macromedia.com...
> I'm using email address as primary key and propogating $MM_Username on
> login
> with user authentication.
>
> I've also obviously got "Password and $MM_UserGroup.
>
> How secure is this sytem against hacking?

As secure as you make it. :)
If the user logs in over plain HTTP, then people could potentially listen in
on the traffic. Over HTTPS, at least the login is encrypted. Still, what's
more important is the security on the web server itself. If someone can
break in there, then it doesn't matter what kind of security you've got on
your web site.

>
> I know it doesn't appear in the address bar but is it possible to alter
> session variables using code in the address bar or any other way?
>

Only if you let it happen. For instance, not validating user input before
storing it in the session. Users cannot force something into the session,
though. Barring an exploit that allows arbitrary code, but if they've found
one of those, then adding to the session is probably the last thing on their
minds. 🙂 Again, it goes back to keeping the server secure by choosing
appropriate settings, keeping all of your components up to date, etc.

> I've set up UserGroups for new registrations that only allows own account
> viewing (page restrictions) and I don't want anyone else under data
> protection
> act (unless specified) to be able to access other records.

Your best bet is to use integrated Windows authentication under Active
Directory. That would restrict your users to IE, though, and I believe
you'd have to run IIS as well. Over ordinary connections from any browser,
your session-based logins are the best you're going to do. Just invest in a
certificate so you can use HTTPS when appropriate.

> Thanks
>


Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
RichardODreamweaver
Engaged ,
Apr 03, 2007 Apr 03, 2007
Thanks for this Lionstone - I feel much happier.

The validation code is in the index page (Session starts first) with page restrictions on everything else other than login failed.

One concern is your point on https. I'm running a php site on http and don't know if it's possible to convert to https

I can only rely now on our L.A.M.P. hosting provider!
Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Newsgroup_User
LEGEND ,
Apr 03, 2007 Apr 03, 2007
LATEST
"RichardODreamweaver" <webforumsuser@macromedia.com> wrote in message
news:eutk47$gqa$1@forums.macromedia.com...
> Thanks for this Lionstone - I feel much happier.
>
> The validation code is in the index page with page restrictions on
> everything
> else other than login failed.
>
> One concern is your point on https. I'm running a php site on http and
> don't
> know if it's possible to convert to https
>
> I can only rely now on our hosting provider!
>

The server-side scripting you use doesn't have any effect on that.
Your host likely provides HTTPS with a shared certificate for a yearly fee.
Some do, some don't; more do these days, but you'll have to ask them. 😉


Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Copyright © 2025 Adobe. All rights reserved.
Using the Community Experience League Terms of Use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices