Is this secure? If not, are 'session variable variables' possible?

[cfructose]

I think I covered myself security-wise, but want to see if there's a hole anyone can point out.

I'm restricting access to certain pages when user not logged in. Part of the security config looks like this: (The numbers, e.g. "01_01" refer to chapters and subchapters).

PHP Code:

if ($_SESSION['logged_in'] == "no") {
        $secure_01_01 = 0;
        $secure_01_02 = 0;
        $secure_01_03 = 0;
        $secure_01_04 = 0;
        $secure_02_01 = 1;
        $secure_02_02 = 1;
        $secure_02_03 = 1;
        $secure_02_04 = 1;
        $secure_03_01 = 0;
        $secure_03_02 = 1;
        $secure_03_03 = 1;
        $secure_03_04 = 1;
    } 


I then create the variable $restricted_access, with the predefined page-specific $chapter and $subchapter:

PHP Code:

$restricted_access = "secure_".$chapter."_".$subchapter; 


and then...

PHP Code:

if ($$restricted_access != 1) {
   display page;
} else {
   dont!
} 


Can $$restricted_access be expressed as a SESSION variable variable? I'd feel happier if it were. But is that even necessary?

Aargh, I'm out of my depth here.

[meth]

From php.net:

"Warning: Please note that variable variables cannot be used with PHP's Superglobal arrays within functions or class methods. "

So no, a $_SESSION (a superglobal) cannot be a var var.

[cfructose]

Thanks Meth,

I must have missed that 'warning'! - But I suspected that was the case.

So, any feedback on whether my approach is flawed?
:-)

[firepages]

Quote:

Originally Posted by meth

From php.net:

"Warning: Please note that variable variables cannot be used with PHP's Superglobal arrays within functions or class methods. "

So no, a $_SESSION (a superglobal) cannot be a var var.

and a good job as well else page.php?restricted_access=1 might allow you access if register_globals were turned on.

If you make your session an array

PHP Code:

<?
$_SESSION['my_access']=array(
'C1_S1'=>1,
'C1_S2'=>0,
/*etc*/
);
?>
then you can simply check for that array value ...
<?
$chk = "C".$chapter."S".$subchapter;
if(isset($_SESSION['my_access'][$chk]) && $_SESSION['my_access'][$chk]!=1){
   header("Location: unauthorised.htm");
}
?>
or similar;

even with the above.. depending on where $chapter and $subchapter come from, that may still be exploitable on a server with register_globals turned on, but that would depend on the rest of your code.

Edit: typo off to on !

[cfructose]

Thanks so much for that erudite response. I'll implement that code immediately. :-)

Regarding session variable variables making abuse possible even with register globals off, I pondered the idea for a good five minutes before seeing what you meant, and then laughed out loud!

One follow up question:

$chapter and $subchapter are definied at the beginning of each page, but are never related to any user input, cookies, $_POST etc.

Does that mean that with register globals turned off, there are no security risks, or am I being naïve? I think I understand that no variables can be manipulated or taken advantage of in any way so long as they remain in php code that can't be visible to a user (I.e. which you don't $_GET, for example). Am I right?

[firepages]

Sorry edited my post ...I had globals off when I meant on !

register_globals off does not automagically make code safe but it does remove a few gotchta's , but personally I think the best way forward is to assume that register_globals might be on or off and assume you have no control of that setting... even if you do.

Any uninitialized variables are targets for injection , testing with error_reporting(E_ALL) will show you all those uninitialized variables giving you an E_NOTICE (or is it an E_WARNING?) , either way you can then decide if thats an issue or not.

To answer... in your example if $chapter and $subchapter are defined in each page with no reference to user input then there is no way for anyone to rewrite them.

[cfructose]

Got it. Thanks :-)