PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!
I checked out a few variaties to make authentification process and proceed to secure pages.
1.) After login and writing userinfo into SESSION variable, some secure pages use a small scripts to recheck md5 encrypted $_SESSION['passwort'] with the database everytime, they are called
2.) A second possibility is just to login and rely on some SESSION check in the beginning of every page, like
I would be interested in the security aspect of both. Is it better to establish a db connection every time or is it more secure just to request this $_SESSION['registered'] which came from a single authentication. Are there better options ?
well.. session data is kept on the server, generally, so you could just set the session permission hook when needed.. which would save a database query for other information..
It all depends on the security you need. If you are protecting e.g. a members section where an unauthorized access is just annoying the session approach is ok. If you are protecting e.g. personal data of the user it might not be secure enough.
Your versions 1 and 2 have basically the same security as if the session is captured by someone it doesn't matter if you check the password against a database or just check the session. It might be enough security if you let the session die e.g. every 15 to 30 minutes.
Better Security does require www-authentication, combined with Sessions and probably SSL.
I am also still thinking about the security isse as it is probably the most complex thing if you need to protect something important as there are so many ways to bypass certain settings.
yeah i like that www-authentication and I actually want to use SSL+Digest Web Authentication and Sessions.
Found a very good Pear Class, which worked for me after some modifications Auth and AuthHttp http://pear.php.net/packages.php?catpid ... entication
Its all about highly secure personal data, therefor needs special kind of "attention" and system design consideration.
But nevertheless, if I work which PHP I have to rely on SESSIONS as security part somehow , do I ? But that SESSION switching seems interesting to me, how would code this ? Does it chance something on this Session-Check, that is performed on every page.
I use the session to recall the www-authenticate after a certain time the user has not done anything. The browser normally recalls the credentials as long the browser stays open unless you call a new www-authentication. This reduces the danger of e.g. a user logging in using a public internet terminal where the browser stays open by default. In this scenario the attacker just needs to surf the browser history and simply connect.
There is of course no 100% security against stupid users but at least you can limit it down to a small percentage.
And how do you call this, how can i destroy the session after a certain time,
Is it a javascript thing that the browser automatically loads a page with a session_destroy() command after a while, noone has moved the mouse ?
Or is there a setting on the server that destroys a sessio after a certain time ?
For me it works to refresh the session on each link. If you only got one page simply destroy the session with e.g. a meta refresh after a certain time.
You could write a custom session handler with e.g. a MYSQL database and use a cronjob to do the garbage collection on the expired sessions.
you don't need a cronjob to garbage collect the expired sessions.. just run a delete query over the table saving only those with lifespans, and not autologin..
feyd wrote:you don't need a cronjob to garbage collect the expired sessions.. just run a delete query over the table saving only those with lifespans, and not autologin..
Of course this will work. I was thinking on a low activity site it might be a long time untill a session expires but of course then you don't have to worry about security at all.
Might be a performance plus to use cron on very high volume sites as the query might take some time if many sessions are saved in the table and you would have to do the query on every sitecall. But this as well must be indeed many sessions so the delete query should be fine.
Usually when a browser window is closed, the session expires. But when noone closes the browser, what kind of setting destroys the session, after certain inactivity ?
Is there a session expire setting server side, because e.g. Java Script will not do a good job on this, will it ?
And isn't a session refreshed everytime I press a succeeding link ?
you save a session ID in a database and add a timestamp.
on each call you check this entry against the timestamp and if it is beyond a certain time you destroy the session and reauthenticate. If the time is not expired you can refresh the timestamp.