Session management and secure aspect
Posted: Mon Apr 05, 2004 9:22 pm
Hello,
I redo my session management. Now first to my old system.
It works very well, with or without cookies (depends what the user support). But i haven't thought to
any big secure aspects.
Old system:
It is a DB based system with dynamic generating session ID (md5). I do NOT use any PHP session function. And i programmed it as a class.
Ok i know its not the fastes way with classes, but for this purpose its enough fast.
I wanna do some new function for more security with the session.
My idea is:
i redo my session class with followed aims:
4 different work scenarios:
session: normal without cookies (over url append like the old system)
session: normal with cookies (like the old system)
session: secure without cookies
additional check (and save in DB) of:
IP ($_SERVER['REMOTE_ADDR'])
Useragent (Browser) ($_SERVER['HTTP_USER_AGENT'])
Session: secure mit cookie
like session secure without cookies but with additional:
set a random hash (md5 like the ID)
this hash is only valid for one reload
everytime when the session is called, it's generate a new random hash
to protect the session id.
(it is save in the db for sure)
Information for checking the validity of a session:
Useragent:
It is not a very save, because it has many similar browsers in use
IP:
Problemactic is that users behind a router or something like that,
have the same IP, and the IP can change dynamically
-> session's dead! (if ip changes)
SessionID per URL:
esay to steal/abuse, but nescessary for user who dont support cookies
(only used when cookies doesn't work!)
SessionID per Cookie:
better protection as per URL, but still not very save (easy to cpoy a cookie)
Session Cookie with dynamic generated security Hash:
improves the protection a lot. The "bad guy" has to get both cookies,
and must be faster then the user clicks again...
the security hash changes with every reload/load of a page
What do you think about this beginning?
Any better ideas?
Critics?
All welcome!
greez Pozor
PS: sorry my english isn't the best... i know (i'm still working on it)
Stillstand ist Rückschritt!
I redo my session management. Now first to my old system.
It works very well, with or without cookies (depends what the user support). But i haven't thought to
any big secure aspects.
Old system:
It is a DB based system with dynamic generating session ID (md5). I do NOT use any PHP session function. And i programmed it as a class.
Ok i know its not the fastes way with classes, but for this purpose its enough fast.
I wanna do some new function for more security with the session.
My idea is:
i redo my session class with followed aims:
4 different work scenarios:
session: normal without cookies (over url append like the old system)
session: normal with cookies (like the old system)
session: secure without cookies
additional check (and save in DB) of:
IP ($_SERVER['REMOTE_ADDR'])
Useragent (Browser) ($_SERVER['HTTP_USER_AGENT'])
Session: secure mit cookie
like session secure without cookies but with additional:
set a random hash (md5 like the ID)
this hash is only valid for one reload
everytime when the session is called, it's generate a new random hash
to protect the session id.
(it is save in the db for sure)
Information for checking the validity of a session:
Useragent:
It is not a very save, because it has many similar browsers in use
IP:
Problemactic is that users behind a router or something like that,
have the same IP, and the IP can change dynamically
-> session's dead! (if ip changes)
SessionID per URL:
esay to steal/abuse, but nescessary for user who dont support cookies
(only used when cookies doesn't work!)
SessionID per Cookie:
better protection as per URL, but still not very save (easy to cpoy a cookie)
Session Cookie with dynamic generated security Hash:
improves the protection a lot. The "bad guy" has to get both cookies,
and must be faster then the user clicks again...
the security hash changes with every reload/load of a page
What do you think about this beginning?
Any better ideas?
Critics?
All welcome!
greez Pozor
PS: sorry my english isn't the best... i know (i'm still working on it)
Stillstand ist Rückschritt!