Page 1 of 1
login using sessions
Posted: Tue Mar 27, 2007 8:47 am
by weeping
hello,
after reading a lot about sessions and related stuff i have decided to create a login system using sessions while storing session id inside a cookie onto users pc's. maybe after i will create a secured proof system i will include also the case when users don't allow cookies so i will propagate PHPSESSID's through URL's
BUT until than i have a few things i don't understand and i came here to clear them.
basically i will use the following logic in ccreating the login script :
------------------------------------------------------------------------------------------------------------------------------------
PART 1 - login check
login form
match user and pass from $_POST with the ones registered in mysql
if ok: session_start()
insert user inside $_SESSION['user']
--------
should i insert also the password inside $_SESSION['pass'] ?
----- should i do that ? if the answer is yes should i encrypt it ?
----- do i need to encrypt with one-ways enc methods the info i assign to $_SESSION array ???
----- is that info from $_SESSION reachable by users through any sort of tricks ?
------------
should i capture and insert into $_SESSION the session_id() value ? is that of any use in future traking of the session?
---------------------------------------------------------------------------------------------------------------
PART2 - secured page
what is recommended to use:
a) mysql db match of $_SESSION[user and pass..] with registered values or
b) if isset($_SESSION[user]) && isset($_SESSION[pass])
using a db query on each secured page increases the load time and the db load also.
using issest is safe enough in authenticating the user when accesging the page or should i use a db query to match user and pass saved in $_SESSION with the ones registered ?
what happends with the content of $_SESSION after closing the browser?
for how long will the session resign on the server if user leaves without logging out?
btw: what;s the safest method: cookies/session(using cookie)/session propagated through url ??
Re: login using sessions
Posted: Tue Mar 27, 2007 9:18 am
by Mordred
Answers inline in red, sorry for the brevity but you asked a lot of questions
weeping wrote:hello,
after reading a lot about sessions and related stuff i have decided to create a login system using sessions while storing session id inside a cookie onto users pc's. maybe after i will create a secured proof system i will include also the case when users don't allow cookies so i will propagate PHPSESSID's through URL's
BUT until than i have a few things i don't understand and i came here to clear them.
basically i will use the following logic in ccreating the login script :
------------------------------------------------------------------------------------------------------------------------------------
PART 1 - login check
login form
match user and pass from $_POST with the ones registered in mysql
if ok: session_start() also session_regenerate_id() to avoid session fixation
insert user inside $_SESSION['user'] (a numeric user_id is a better UNIQUE identifier -- both in mysql and PHP)
--------
should i insert also the password inside $_SESSION['pass'] ? no, the session id is your new auth token
----- should i do that ? if the answer is yes should i encrypt it ?
----- do i need to encrypt with one-ways enc methods the info i assign to $_SESSION array ??? generally, no
----- is that info from $_SESSION reachable by users through any sort of tricks ? in some (mis)setups of shared hosting the session files could be readable by others. Sessions can be kept in the database, which means they can be leaked through a SQL injection.
------------
should i capture and insert into $_SESSION the session_id() value ? is that of any use in future traking of the session? No. session_id() is the token that identifies the $_SESSION data, so it would be redundant.
---------------------------------------------------------------------------------------------------------------
PART2 - secured page
what is recommended to use:
a) mysql db match of $_SESSION[user and pass..] with registered values or
b) if isset($_SESSION[user]) && isset($_SESSION[pass])
I go for isset($_SESSION['login']['user_id']) with additional (optional) checks for ip and timeout. Keeping user/pass in the session is not wise.
using a db query on each secured page increases the load time and the db load also.
The performance cost is insignificant
using issest is safe enough in authenticating the user when accesging the page or should i use a db query to match user and pass saved in $_SESSION with the ones registered ?
No, this was done already when logging, and nobody else can create a session on your server, so..
what happends with the content of $_SESSION after closing the browser?
The session is kept on the server, but you can control the lifetime of the session id if you pass is by a cookie
for how long will the session resign on the server if user leaves without logging out?
Write custom code to handle this
btw: what;s the safest method: cookies/session(using cookie)/session propagated through url ??
Session using cookie
Edit: This belongs to "Security" btw
well
Posted: Tue Mar 27, 2007 2:38 pm
by weeping
first i wanna thank you for the quick response and now allow me to ask a few more things i wanna clarify
you adviced me to use session_regenerate_id() to avoid session fixation which is to updates the current session id with a newly generated one.
how should i use it ?
session_start();
session_regenerate_id();
is it correct or i need also to refresh the page after regenerating the session id ?
i thought also about retaining the user ip for statistics and also for monitoring repeted failed login atempts and block ip after let's say 10 atempts for 1h..
when you said timeout you probably meant monitoring user inactivity for triggering a session_destroy after a specific amount of time (without using java) ?? how ?
"but you can control the lifetime of the session id if you pass is by a cookie "
my theory was to use session using only one and single cookie that is automatically created when session_start(). i did not intended to create another ones because if so i would have chosen the only cookies option without using sessions at all.
can you please exemplify what you meant by saying i can control session lifetime using a cookie?
10x
Re: well
Posted: Wed Mar 28, 2007 3:45 am
by Mordred
weeping wrote:first i wanna thank you for the quick response and now allow me to ask a few more things i wanna clarify
you adviced me to use session_regenerate_id() to avoid session fixation which is to updates the current session id with a newly generated one.
how should i use it ?
session_start();
session_regenerate_id(); yes, RTFM for details
is it correct or i need also to refresh the page after regenerating the session id ? no need to refresh, the response page where you regenerate the id will issue a cookie with the updated SID
i thought also about retaining the user ip for statistics and also for monitoring repeted failed login atempts and block ip after let's say 10 atempts for 1h.. hmm, its okay, but it's easily bypassed by a proxy, so don't sweat too much about it.
when you said timeout you probably meant monitoring user inactivity for triggering a session_destroy after a specific amount of time (without using java) ?? how ?
1. (client-side) Set cookie lifetime to now+30 minutes (this is actually optional, as we will do it on the server side as well)
2. Write the last access time to the session
3. If a request comes and the last access time in the session was too long ago, we logout the user and display an appropriate page
4. If a request comes and the session hasn't timeouted, we update the last access time (and the cookie time)
"but you can control the lifetime of the session id if you pass is by a cookie "
my theory was to use session using only one and single cookie that is automatically created when session_start(). i did not intended to create another ones because if so i would have chosen the only cookies option without using sessions at all.
can you please exemplify what you meant by saying i can control session lifetime using a cookie?
Use just one cookie, for the session id. All other info should be kept in the session (server-side). RTFM on setcookie() for details on cookie lifetime.
10x
Posted: Wed Mar 28, 2007 8:41 am
by weeping
let's suppose the host server has:
session.gc_maxlifetime = 24h
session.gc_probability = 1
session.gc_divisor = 100
this is highly probable on most of the hosting servers.
we see that there is a 1/100 chance that garbage collection starts at each 24h - conclusion is that sessions resign on the server for a few days.
-----------------------------------------------------------------------------------------------------------
i have access to browser folders of some user and i get all cookies content values in time (before regenerating id's) - remember the sessions are still on the webserver and will be there for days
i create a new cookie with the content(from above) and also i will create a huge $_SESSION array containing thousands of possible values such as $_SESSION['username, user, pass, id,uniquevalue ,uniqueid...................']
-------------------------------------------------------------------------------------------------------------
you told me that the only check i need to do when opening a new secured page is :
session_start();
session_regenerate_id();
if (isset($_SESSION['uniquevalue'])) {echo "you are logged in";}
............
as you can see i allready thought of declaring 'uniquevalue' in my $_SESSION above so i can create now a cookie with a former valid content(session_id()) and also initiate my $_SESSION['huge array with lots of values']
without matching on every secured page the $_SESSION['values'] with DB registered values it happends what i have just shown to you...
am i right ?
10x
[/list]