session security

heaps21 · 03-22-2004, 12:55 PM

What is the most secure way to use sessions? Currently when a user logs in a save a session variable ofthe username and use this in every subsequent page. This way though, anyone would be able to type the url and append the username to the url to gain access without logging in. I presume it is better to use session ID's somehow, itsjust that im not sure of the best way to do it. Any opinions would be appreciated

Az` · 03-22-2004, 12:59 PM

Well, obviously the best way to do sessions is with session ID's. Although, it does depend on your server setup: having register_globals turned on means you'll have to use session_register(). Take a look at: http://uk.php.net/manual/en/function.session-start.php

Remember to put session_start() before ANY output

Edit: If you want to keep it your way, however, you could always append an md5 hash of their password onto the URL (using md5($password)).

heaps21 · 03-22-2004, 01:19 PM

How about passing the session ID in the URL ASWELL as writing it to a session table in the database, then on each page check whether the session id passed to the page matches that saved in the database? Is that along hte lines of being more secure or have I got the wrong end of the stick?

Az` · 03-22-2004, 01:25 PM

Well, if you are using session ID's then you don't need to append anything BUT it through the URLs.

It does tend to depend in your PHP setup - Such as session.use_trans_sid to (I think) automatically append the SID to urls.

It's most likely easiest to use cookies to keep sessions going.

heaps21 · 03-22-2004, 01:31 PM

Ok, but I had that idea because each page needs to know which userr is logged in. I dont really want to use cookies in case the user hasnt got them enabled. Would my previous suggestion (assuming the setup for session id's is ok) work? Would it be seen as secure?

Nightfire · 03-22-2004, 02:10 PM

Arghhhh. Don't use session_register. Just use the super global $_SESSION. Whether the session is passed through the url or not depends on whether cookies are enabled. If cookies aren't, then they get sent through the url, if they are accepted, then they're passed 'transparently'

To check if a user's logged in (the very basic way)

PHP Code:


			
<?php

session_start();

if(isset($_SESSION['name'])){

  echo 'logged in';

}else{

  //show login form here

}

?>

raf · 03-22-2004, 02:19 PM

Euhhh. What a strange discussion.

When a client requests his first page, the webserver will check if this client has an active session. Either because the SID is in the querystring, or there is a sessioncookies set.
On the first page, the parser will automatically add the SID to each link since it doesn't knowif the client accepts cookies.

If the client accpes cookies, the SID is removed from the querystring and the sessioncookie (that only contains an encoded sessionID is used). If cookies are not accepted, the SID is dragged along by the querystring.

This is all done automatically.

I don't quite understand this

Quote:

What is the most secure way to use sessions? Currently when a user logs in a save a session variable ofthe username and use this in every subsequent page. This way though, anyone would be able to type the url and append the username to the url to gain access without logging in. I presume it is better to use session ID's somehow, itsjust that im not sure of the best way to do it.

Type the url and add the username? what has this got to do with sessions?

After you validated the login, you just set a flag --> set some value in a sessionvariable. like

session_start();
$_SESSION['loggedin']='yes';

and then on top of each page, you do a

session_start();
if (!$_SESSION['loggedin']) or ($_SESSION['loggedin']) !='yes')){
die ('not logged in');
}

Wether the sessionID is pulled from the querystring or cookie is not your concern. It depends mainly on the users cookie settings.

Users that use cookies are safer because that is more dificult to steal. When it is appended to the quertystring, it can be read + it is also appended to external links ... But you can not force the sessions to be cookie-based, unless you deny acces to users without cookiesupport.

The safest way is to also store the IP (for users with a stable IP --> not like AOL) + to combine it with a newly generated sessionID for each request ( http://www.php.net/manual/en/functio...enerate-id.php ) So with each request, you update your sesiontable. Stealing a session would only work if the hacker can request his first page before the user did.

<edit>posts crossed</edit>

heaps21 · 03-22-2004, 04:21 PM

Right, ok - I think I was confusing myself with what I wrote, never mind you guys!!

At the moment if a login is successful I save the username as a session. On every subsequent page I check the value of username. If there is one, the useris logged in. All the session stuff I have at the moment works fine, I was just wondering if the way I described is the best way. I have read things about session management using session id's and a db table but never really understood the point. Sorry if I confused anyone!!