...

View Full Version : Resolved How secure are sessions?



melloorr
01-20-2012, 11:56 AM
Sorry if this is asked loads of times but how secure are sessions? I have a login script that uses both cookies and sessions and I know cookies can be easily intercepted but are sessions easy to manipulate?

myfayt
01-20-2012, 12:57 PM
Sessions are highly secure, way more than cookies. Now sessions can be how do you say hacked into, but it'd take very expensive equipment and extreme knowledge. Your everyday hacker won't be able to touch it, so sessions are safe, avoid cookies.

tangoforce
01-20-2012, 12:59 PM
Sessions are identified via cookies so the reality is they're only as safe as the cookie itself.

You could use the SID in each url but even that can be intercepted so your best bet is to check at the beginning of your script that the IP address is the same (although this is useless if someone is sniffing wifi packets on the same network).

melloorr
01-20-2012, 01:09 PM
Hmm... thanks tangoforce :)

How would I go about making it secure?

If I had a unique ID stored in a session, and a different unique ID stored in a cookie, and checked them both against a database for that user, would this be enough, or at least make it more difficult to hack? Or would the IP checking be best?

tangoforce
01-20-2012, 01:15 PM
Storing a unique id in the cookie would be pointless - it could be intercepted at any time by someone with a packet sniffer.

Your best bet would be to insert random keys in your urls and store those in the session. Everytime your user clicks a link you check in the beginning of your script that the key is correct in the session (or DB - you choose) and if its correct then proceed, if not then its an attacker and you can die(), exit() or whatever you choose.

Note though that your user may open pages in new tabs so you'd actually need to keep an array of keys in the session/DB and check that the one submitted is one of those. Don't clear the keys until the user logs out though (eg if they click back they'll be stuffed).

Whilst that also isn't 100% secure it would be a lot more work for an attacker.

I'm not quite sure where myfayt has got his info from, expensive hardware? - All you need is the session cookie so the browser transmits the session id to the server and thats it - the php will use the same session variables as the other user. Sure, sessions are more secure than cookies by the nature that sensitive info isn't sent back and forth but they can be hijacked.

melloorr
01-20-2012, 01:29 PM
That sounds pretty complicated to code if I'm honest :o

tangoforce
01-20-2012, 01:44 PM
Not really, if you use html templates then you can insert keys into your links anywhere simply by using str_replace() to replace a tag like <__url_key__> with the correct value. Even with mixed html/php it's pretty straight forward:



<?php
//Template version
function get_template()
{
return <<<STOP
<html>
<head>
<title>Template Demo</title>
</head>

<a href="http://www.yoursite.com?x=y&key=<__key__>">Click this</a>
</html>
STOP;
}

$Key = uniqid();
$_SESSION['keys'][] = $Key;

print str_replace('<__key__>', $Key, get_template());
?>




<?php
//Mixed html/php
$Key = uniqid();
$_SESSION['keys'][] = $Key;
?>

<html>
<head>
<title>Template Demo</title>
</head>

<a href="http://www.yoursite.com?x=y&key=<?php print $Key; ?>">Click this</a>
</html>


When the user clicks any link in the top of your code you simply check that the key is in the $_SESSION['keys'] array.

Job done :thumbsup:

melloorr
01-20-2012, 02:01 PM
Thanks, that really isn't complicated is it :)

tangoforce
01-20-2012, 02:34 PM
As I say its still not fool proof but it gives any potential hacker another challenge to haggle with.

melloorr
01-20-2012, 03:31 PM
I have done it now I think. A new code is given on each page, and they can press back and open a new tab. If they delete some characters from the key, so it is not in the array, then the page does not load.

Thanks again

felgall
01-20-2012, 07:24 PM
To make the session more secure you could use HTTPS - that would then mean that the cookie content identifying the session would be encrypted as it is passed back and forth between the browser and the server using a certificate attached to the browser for part of the encryption process and so making it impossible to access from any other browser.



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum