Page 1 of 1

Session question...

Posted: Tue Apr 25, 2006 9:37 pm
by alex.barylski
When using authentication is it acceptable to store session state info in PHP sessions?

I am pretty sure I understand this, but just to be sure...

When you authenticate someone, it's not a good idea to store an "auth=true" variable inside client side cookies, cause they are easily spoofed...

What about doing the same for PHP sessions?

I can't see them being easily tinkered with from the outside world or being any worse or better than storing session data in A DB like follows:

magic_cookie, time_created, userid

If I store:

magic_cookie, time_created

In a PHP session, would this be accetpable for authentication...and by acceptable I mean, prevents *direct* tinkering from outside world like a cookie, not indirect, like hijacking some poorly written script.

However if you care to list possible security flaws with using sessions over DB storage I'm listening :)

I can see a database being a little more secure on shared hosts, etc...as you need to pass yet another layer of authentication to access data. Other than that though, how is is better or worse than database as far as security?

Cheers :)

Posted: Tue Apr 25, 2006 9:47 pm
by John Cartwright
I don't think you should be worried about storing auth=true inside sessions, although it is definantly a bad idea for cookies (as you mentioned). You definantly should store as little input information inside of sessions when possible, other than that sessions are pretty safe.

Session hijacking is also something you should read up on if your working on authentication.

Posted: Tue Apr 25, 2006 10:29 pm
by feyd
I run the paranoid direction by reauthenticating on every transaction with a session. Any time security levels change up (moving to a higher level of security) the user will often be asked to retype their password. When that happens their old session is destroyed and a new session is created. If SSL is possible, I'd use that, 100% of the time too if security needs are there.

Now, this is for a fairly high security site. It's not so important for lesser security sites, but I still keep some layers. Mostly the session regeneration when passing through the security levels.

Posted: Tue Apr 25, 2006 10:33 pm
by Christopher
The other thing you can do in to generate a unique key, save it in the session, pass it in the get/post, and check that the passed value and the one it the session match. Especially on login pages and any form when you don't want the data spoofed. Make sure you regenerate that key each time as well.