Session question...

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Session question...

Post by alex.barylski »

When using authentication is it acceptable to store session state info in PHP sessions?

I am pretty sure I understand this, but just to be sure...

When you authenticate someone, it's not a good idea to store an "auth=true" variable inside client side cookies, cause they are easily spoofed...

What about doing the same for PHP sessions?

I can't see them being easily tinkered with from the outside world or being any worse or better than storing session data in A DB like follows:

magic_cookie, time_created, userid

If I store:

magic_cookie, time_created

In a PHP session, would this be accetpable for authentication...and by acceptable I mean, prevents *direct* tinkering from outside world like a cookie, not indirect, like hijacking some poorly written script.

However if you care to list possible security flaws with using sessions over DB storage I'm listening :)

I can see a database being a little more secure on shared hosts, etc...as you need to pass yet another layer of authentication to access data. Other than that though, how is is better or worse than database as far as security?

Cheers :)
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

I don't think you should be worried about storing auth=true inside sessions, although it is definantly a bad idea for cookies (as you mentioned). You definantly should store as little input information inside of sessions when possible, other than that sessions are pretty safe.

Session hijacking is also something you should read up on if your working on authentication.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

I run the paranoid direction by reauthenticating on every transaction with a session. Any time security levels change up (moving to a higher level of security) the user will often be asked to retype their password. When that happens their old session is destroyed and a new session is created. If SSL is possible, I'd use that, 100% of the time too if security needs are there.

Now, this is for a fairly high security site. It's not so important for lesser security sites, but I still keep some layers. Mostly the session regeneration when passing through the security levels.
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Post by Christopher »

The other thing you can do in to generate a unique key, save it in the session, pass it in the get/post, and check that the passed value and the one it the session match. Especially on login pages and any form when you don't want the data spoofed. Make sure you regenerate that key each time as well.
(#10850)
Post Reply