Hi,

I am trying to clarify the issue of bookmarking when using sessions.

Will the browser store the url with the session number?
Does this constitute a security problem?
Is there any way of hiding the session ID from the URL?
Is there any way of bookmarking the URL without including the session ID?

and finally, is this an issue at all (I think it is in terms of clarity for the user bookmarking the page)

DH

I've never had problems with sessions and bookmarks. Every session is unique ( I think). Sessions usually last 30 mins or so, so after that amount of time the user is logged in, he/she will have to log in if they've bookmarked http://yoursite.com?PHPSESSID=dfs334325432dfs it will still ask for username etc 31 mins later after inactivity.

Most places will use cookies and sessions for authentification (that even a word?) like these forums. If you posted a link with the sess id in it, noone would be signed into your name, as they don't contain the cookie with your name in.

After 30 mins or if the browser is closed, the session is destroyed. So I doubt that is any security risk, unless someone walks away from the PC and leaves the browser wide open with them logged in...

To hide the sess id is not to pass it through the URL ;) I can't remember how to do it, but I've done it before. session_start() always seemed to put PHPSESSID=gfgs93423wefds etc in the URL on the first page, but after the next page, that disspeared.

Im drunk, been awake over 37hours, so I'm not explaining very well, so maybe someone can help better.

Hi Nightfire,

that sounds good (getting rid of the session ID after the home page - or is it after the first page of the site that the user visits?).

What happens if the user accesses the site not from the front page?

If there are any other solutions please post them, nightfire the fire is out for tonight, sweet dreams :).

DH

I'm no expert on this thing, but I guess that if someone tried to go to a member area from someone elses session from a link, I guess it won't work as the user clicking the link won't have added the info into the session like the original user did.... or he/she would've overwritten the session with 'guest' as the cookie didn't exist.

As I said before, I'm probably wrong, but it's what's coming to mind at the mo'.

I'm off to bed now, before I make anything more complicated than it should be ;)

Hi Nightfire,

yes I think we clarified it is not a security issue. Hope to get some more responses soon and when you are sober (if that is at all a good thing to be ...)

DH

Will the browser store the url with the session number?


That depends (always the best answer ;)). The first time you access a page that uses sessions, PHP doesn't know if your browser accepts cookies or not, and to enable sessions even when cookies are not accepted, the URL is rewritten and passes the session_id along as a GET parameter. Later on, if cookies are enabled, the URLs do not get rewritten.


Does this constitute a security problem?


Yes.
The session_id might turn up in other sites referrer logs, and sniffing the network traffic could reveal the session_id too if the traffic is not encrypted via SSL (this applies to cookie values too I think).


Is there any way of hiding the session ID from the URL?


Starting with PHP 4.3, there is a configuration option called session.use_only_cookies that prevents sending the session id as a GET parameter and requires the use of cookies.
If you can't use that, require the user to enable cookies. It's generally more secure with cookies because session cookies should be deleted by the browser when the browser is closed. The fallback mechanism that passes the session id in the URL is for those "security-aware" users that disable cookies for whatever reasons they have.


Is there any way of bookmarking the URL without including the session ID?


If you bookmark the page without the session_id in the URL, then the page won't have the same functionality/result as with a session_id. It depends a little on what you use sessions for. If they protect a certain area of a site against unauthorized use (like an admin area), you better have people re-authenticate everytime they access the area. Being able to pass around the authentification by using a bookmarked page (if that were possible) would circumvent your authentification startegy.


and finally, is this an issue at all (I think it is in terms of clarity for the user bookmarking the page)


It is an issue worth spending some time thinking about and asking questions, but it's not a grave security problem that would result in the conclusion not to use sessions at all because they are not 100% secure. Using sessions is the standard way to enable persistance of date across pages for a session only, and that makes it perfectly valid for authentication schemes. Combine it with SSL and you have very secure environment.

EDIT: The configuration option is called session_use_only_cookies of course, stupid me.

Hi mordred,

thank you for such an exhaustive reply. To clarify:

1) I will make use of SSL and sessions. The idea is that when a user gets to the site, he/she is signed off to start with (assuming they closed the browser from the previous session). They can then log in and the session cookie is set or get parameter sent to the server. Now my question is, I have seen many sites using sessions, but very few of them use SSL when doing a simple login. Does this mean they expect the user's browser to accept cookies or that they don't consider the get parameter to be a security issue. My concern is with the cost of having an SSL line, it is included in my hosting package but I am wondering if it is at all convenient to use SSL even on non payment pages, any advice?

2) Regarding bookmarking, I just thought it would be more convenient for a user to have a bookmark that says site.com instead of site.com/index.php;sessionid=UHGEWYTREHG for example. My question is does the browser automatically strip the URL of its session ID when bookmarking it?

thanks,

DH

[i]Originally posted by Does this mean they expect the user's browser to accept cookies or that they don't consider the get parameter to be a security issue.


I would say they expect both conditions to be true.


My concern is with the cost of having an SSL line, it is included in my hosting package but I am wondering if it is at all convenient to use SSL even on non payment pages, any advice?


From my experience, SSL is considered a must-have for all actions involving payment and sensitive data. If you are only using sessions to prevent unauthorized use of a script that let's you publish news items, I don't think that SSL is really needed. But as so often, it really depends on the application. Try to weigh costs and benefits against each other: To protect a newsticker script the cost is always there, but the benefit secure against a case with a very low probability.


My question is does the browser automatically strip the URL of its session ID when bookmarking it?


No, he doesn't. At least the browser shouldn't, and the user shouldn't care, because as long as the page has a value in it's <title> tag, that value is used to represent the bookmark.

Hi mordred,

re bookmarking I think I finally get the point.

I was thinking of using SSL both at sign in (that is for users sign in - no credit card information is actually stored) and for transactions, is the former over the top (I mean is it at all an issue that hackers can, as you say, sniff the session id of a user logging in)?

I guess we all hope users have cookies enabled.

thanks for all your help.

DH