Security of session variables?

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
wallface
Forum Newbie
Posts: 1
Joined: Sun Aug 23, 2009 9:08 am

Security of session variables?

Post by wallface »

I'm working on this game where most tables are keyed off of the user id. Is it safe to include the userid as a session variable after they log in? Can a user access their session variables and if so, can someone do something with that information they wouldn't otherwise be able to do?
User avatar
jackpf
DevNet Resident
Posts: 2119
Joined: Sun Feb 15, 2009 7:22 pm
Location: Ipswich, UK

Re: Security of session variables?

Post by jackpf »

No, the user cannot directly access their session data.

However, you could be vulnerable to session jacking, especially if you're on a shared server.

I've heard that the best way to secure sessions is to:

1) store the sessions in a database rather than temp files
2) validate the user's IP address compared to the one they logged on with on each page request
[3) possible validate their browser as well, for extra security)]

Oh, and make sure you don't have any XSS vulnerabilities on your site. They would make it easy for someone to steal someone else's session.
User avatar
Stoker
Forum Regular
Posts: 782
Joined: Thu Jan 23, 2003 9:45 pm
Location: SWNY
Contact:

Re: Security of session variables?

Post by Stoker »

couple of notes here...
#2 on the previous post wont work too well, many isp's (mostly AOL) will proxy requests so ip's will change
#3 is better and more doable as the browser string usually wont change

bottom line here is the question of what are you trying to protect?

If you are in a shared hosting environment I assume you want to protect against other users on that host peeking in active session data, for that purpose #1 note, storing db tables is better, but is really just obfuscation as someone could find the files with the db login info and indirectly query the database tables directly.
To protect portions of the actual session or user data I recommend symmetric encryption using a key that is stored in a cookie at the client side, that way the session data can only be decrypted by the user with that key. Changing the key every N sessions could also be done - this is obviously pretty expensive as far as cpu/resources go, and you need to question if it is necessary, it may be better, and perhaps enough, to just use a dedicated machine.

protecting against session hijacking can be tricky - using SSL is a good start - adding unique POST or GET identifiers to every new page load should help, pending what has to be allowed of "refresh" and "back" loads by the end user...

going back to the original question - it is likely ok to include user id in session data, if you are on a dedicated machine it should be decently protected. If someone gained access to see session data they can probably see the rest of your application data and scripts as well, that is what you have to assume anyway.
I dont know the application, make sure it doesnt allow some user to change something in POST or GET data that will let them ask for table data that doesnt belong to them...
Post Reply