Session_id() Question?

[Karlos]

Basically, I give each user a different session_id() when they login, and regenerates every 15 mins. However, I was wondering if I could use session_id() as a security measure. I'm not entirely sure if this is a good way to use it, or if i'm using some bits which aren't needed at all, or am I doing it the wrong way?

 

// Function whichs uses session_id()
function Delete() {
global $db, $ir; // $db = Database class || $ir = query for getting users info.
if (isset($_GET['Id'], $_GET['Auth'])) {
 if ($_GET['Id'] && $_GET['Auth'] == session_id() && session_id() == $ir['sId']) {
  $db->query("DELETE FROM `events` WHERE `evID`=".$_GET['Id']." AND `evUSER`=".$ir['userid']);
  $_SESSION['dResult'] = 'Event Deleted';
 } else {
  Error('An error occured while deleting the selected event.');
 }
} else {
 Error('An error occured.');
}
}


// Link to function.
echo '[url="events.php?act=Delete&Id=',$r['evID'],'&Auth=',session_id(),'"]Delete[/url]
';

[Spudinski]

Re: Session_id() Question?

Well, I haven't run your script trough some tests, but in general Session ID's are a good way to keep track of a user, mostly because they are not kept/stored on the clients machine, it's kept on the server itself. Session Fixation is quite common, but I would not worry to much about it when it comes to simple MCCode based games.

[Karlos]

Re: Session_id() Question?

Well thank you for the reply. I am also moving away from MC Codes and having ago at my own, where I also use tokens to prevent against CSRF. Would you recommend using

session_id();

in my own scripts?

[Spudinski]

Re: Session_id() Question?

I found this web page at phpsec, it should explain a few things better than I can and hopefully, give you reason.

http://phpsec.org/projects/guide/4.html