How secure are sessions?

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
JellyFish
DevNet Resident
Posts: 1361
Joined: Tue Feb 14, 2006 7:18 pm
Location: San Diego, CA

How secure are sessions?

Post by JellyFish »

I just realized that a php session is controlled by a session ID stored in a cookie on the clients browser. This ID is a 32 bit base 64 encoded string and is sent to the server in every header of every request. If I'm correct this means that all someone would have to do to "steal" a session is to send the same session ID. What I mean by steal is to actually be log in to someones account. How is this secure? What prevents me from repeatedly sending a different random session ID until I have found one that is in use? If there are a lot of users logged in to a site there would be a lot of session IDs being used.

So how does a developer prevent such an insecurity? I usually thought a "log in" or a "sign in" on a site was just php session variables stored on the server. But now I realize that there must be more to a log in. If there is not more to it, then I could crack into peoples accounts on all the sites out there.

I'm so very confused on how logins are handled. :S

Thanks for reading. I appreciate any help with my confusion.

EDIT:

Actually I just realized that 64^32 (which is the number of possible session IDs) is over 6 octodecillion (6,277,101,740,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000). Even if there were 9 billion people logged on all at ones that would mean a cracker would have to go through at least 1 quindecillion (1 with 48 zeros following). I guess it's very unrealistic to think that you can just simple loop through all of these possible values an finally strike gold.

But I noticed that sessions on the server don't die right away. Shut down there browser, but how long does the session remain on the server? Over time ever use would have multiple sessions on the server not being used anymore.

Some please reassure me with some common sense. 8O
User avatar
Weiry
Forum Contributor
Posts: 323
Joined: Wed Sep 09, 2009 5:55 am
Location: Australia

Re: How secure are sessions?

Post by Weiry »

i couldnt tell you the majority of ways, but i have come across a piece of code at some point which would actually store your IP address along with your sessionID in a temporary entry in a database table, and when the session expired/user logged out, would be deleted from the database.
that way there could be a check to make sure the browser supplying the 'stolen' session could be checked against the IP address.
although im not sure how long ago i saw this, so its probably a fairly inefficient sort of check, although a quick google lead me to
PHPSec which does provide 'some' useful information.
User avatar
Mirge
Forum Contributor
Posts: 298
Joined: Thu Sep 03, 2009 11:39 pm

Re: How secure are sessions?

Post by Mirge »

There are some simple ways to prevent session hi-jacking... each HTTP request create a new session ID (see: http://www.php.net/session_regenerate_id/), expire sessions somewhat quickly so inactivity leads to an expired session (see: http://www.php.net/session_set_cookie_params/), etc. Google around for more techniques to avoid session hi-jacking.
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Re: How secure are sessions?

Post by John Cartwright »

JellyFish wrote:But I noticed that sessions on the server don't die right away. Shut down there browser, but how long does the session remain on the server? Over time ever use would have multiple sessions on the server not being used anymore.

Some please reassure me with some common sense. 8O
A quick google on php garbage collector +session has some pretty good explanations. :)
Post Reply