Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 11 of 11
  1. #1
    Regular Coder
    Join Date
    Dec 2011
    Location
    NW England
    Posts
    194
    Thanks
    8
    Thanked 15 Times in 15 Posts

    How secure are sessions?

    Sorry if this is asked loads of times but how secure are sessions? I have a login script that uses both cookies and sessions and I know cookies can be easily intercepted but are sessions easy to manipulate?
    Last edited by melloorr; 01-20-2012 at 03:31 PM.

  • #2
    Senior Coder
    Join Date
    Apr 2010
    Posts
    1,447
    Thanks
    71
    Thanked 102 Times in 101 Posts
    Sessions are highly secure, way more than cookies. Now sessions can be how do you say hacked into, but it'd take very expensive equipment and extreme knowledge. Your everyday hacker won't be able to touch it, so sessions are safe, avoid cookies.
    Been a sign maker for 7 years. My business:
    American Made Signs

  • #3
    Senior Coder
    Join Date
    Feb 2011
    Location
    Your Monitor
    Posts
    4,327
    Thanks
    60
    Thanked 525 Times in 512 Posts
    Blog Entries
    4
    Sessions are identified via cookies so the reality is they're only as safe as the cookie itself.

    You could use the SID in each url but even that can be intercepted so your best bet is to check at the beginning of your script that the IP address is the same (although this is useless if someone is sniffing wifi packets on the same network).
    See my new CodingForums Blog: http://www.codingforums.com/blogs/tangoforce/

    Many useful explanations and tips including: Cannot modify headers - already sent, The IE if (isset($_POST['submit'])) bug explained, unexpected T_CONSTANT_ENCAPSED_STRING, debugging tips and much more!

  • #4
    Regular Coder
    Join Date
    Dec 2011
    Location
    NW England
    Posts
    194
    Thanks
    8
    Thanked 15 Times in 15 Posts
    Hmm... thanks tangoforce

    How would I go about making it secure?

    If I had a unique ID stored in a session, and a different unique ID stored in a cookie, and checked them both against a database for that user, would this be enough, or at least make it more difficult to hack? Or would the IP checking be best?

  • #5
    Senior Coder
    Join Date
    Feb 2011
    Location
    Your Monitor
    Posts
    4,327
    Thanks
    60
    Thanked 525 Times in 512 Posts
    Blog Entries
    4
    Storing a unique id in the cookie would be pointless - it could be intercepted at any time by someone with a packet sniffer.

    Your best bet would be to insert random keys in your urls and store those in the session. Everytime your user clicks a link you check in the beginning of your script that the key is correct in the session (or DB - you choose) and if its correct then proceed, if not then its an attacker and you can die(), exit() or whatever you choose.

    Note though that your user may open pages in new tabs so you'd actually need to keep an array of keys in the session/DB and check that the one submitted is one of those. Don't clear the keys until the user logs out though (eg if they click back they'll be stuffed).

    Whilst that also isn't 100% secure it would be a lot more work for an attacker.

    I'm not quite sure where myfayt has got his info from, expensive hardware? - All you need is the session cookie so the browser transmits the session id to the server and thats it - the php will use the same session variables as the other user. Sure, sessions are more secure than cookies by the nature that sensitive info isn't sent back and forth but they can be hijacked.
    Last edited by tangoforce; 01-20-2012 at 01:17 PM.
    See my new CodingForums Blog: http://www.codingforums.com/blogs/tangoforce/

    Many useful explanations and tips including: Cannot modify headers - already sent, The IE if (isset($_POST['submit'])) bug explained, unexpected T_CONSTANT_ENCAPSED_STRING, debugging tips and much more!

  • Users who have thanked tangoforce for this post:

    melloorr (01-20-2012)

  • #6
    Regular Coder
    Join Date
    Dec 2011
    Location
    NW England
    Posts
    194
    Thanks
    8
    Thanked 15 Times in 15 Posts
    That sounds pretty complicated to code if I'm honest

  • #7
    Senior Coder
    Join Date
    Feb 2011
    Location
    Your Monitor
    Posts
    4,327
    Thanks
    60
    Thanked 525 Times in 512 Posts
    Blog Entries
    4
    Not really, if you use html templates then you can insert keys into your links anywhere simply by using str_replace() to replace a tag like <__url_key__> with the correct value. Even with mixed html/php it's pretty straight forward:

    PHP Code:
    <?php
    //Template version
    function get_template()
       {
       return <<<STOP
    <html>
       <head>
          <title>Template Demo</title>
       </head>

       <a href="http://www.yoursite.com?x=y&key=<__key__>">Click this</a>
    </html>
    STOP;
       }

    $Key uniqid();
    $_SESSION['keys'][] = $Key;

    print 
    str_replace('<__key__>'$Keyget_template());
    ?>
    PHP Code:
    <?php
    //Mixed html/php
    $Key uniqid();
    $_SESSION['keys'][] = $Key;
    ?>

    <html>
       <head>
          <title>Template Demo</title>
       </head>

       <a href="http://www.yoursite.com?x=y&key=<?php print $Key?>">Click this</a>
    </html>
    When the user clicks any link in the top of your code you simply check that the key is in the $_SESSION['keys'] array.

    Job done
    See my new CodingForums Blog: http://www.codingforums.com/blogs/tangoforce/

    Many useful explanations and tips including: Cannot modify headers - already sent, The IE if (isset($_POST['submit'])) bug explained, unexpected T_CONSTANT_ENCAPSED_STRING, debugging tips and much more!

  • Users who have thanked tangoforce for this post:

    melloorr (01-20-2012)

  • #8
    Regular Coder
    Join Date
    Dec 2011
    Location
    NW England
    Posts
    194
    Thanks
    8
    Thanked 15 Times in 15 Posts
    Thanks, that really isn't complicated is it

  • #9
    Senior Coder
    Join Date
    Feb 2011
    Location
    Your Monitor
    Posts
    4,327
    Thanks
    60
    Thanked 525 Times in 512 Posts
    Blog Entries
    4
    As I say its still not fool proof but it gives any potential hacker another challenge to haggle with.
    See my new CodingForums Blog: http://www.codingforums.com/blogs/tangoforce/

    Many useful explanations and tips including: Cannot modify headers - already sent, The IE if (isset($_POST['submit'])) bug explained, unexpected T_CONSTANT_ENCAPSED_STRING, debugging tips and much more!

  • #10
    Regular Coder
    Join Date
    Dec 2011
    Location
    NW England
    Posts
    194
    Thanks
    8
    Thanked 15 Times in 15 Posts
    I have done it now I think. A new code is given on each page, and they can press back and open a new tab. If they delete some characters from the key, so it is not in the array, then the page does not load.

    Thanks again

  • #11
    Master Coder felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, Australia
    Posts
    6,640
    Thanks
    0
    Thanked 649 Times in 639 Posts
    To make the session more secure you could use HTTPS - that would then mean that the cookie content identifying the session would be encrypted as it is passed back and forth between the browser and the server using a certificate attached to the browser for part of the encryption process and so making it impossible to access from any other browser.
    Stephen
    Learn Modern JavaScript - http://javascriptexample.net/
    Helping others to solve their computer problem at http://www.felgall.com/

    Don't forget to start your JavaScript code with "use strict"; which makes it easier to find errors in your code.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •