PHP Login/Sessions

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
depaya
Forum Newbie
Posts: 3
Joined: Sun Aug 16, 2009 11:51 pm

PHP Login/Sessions

Post by depaya »

I'm sure this is asked a lot. I've built my own, simple, login system using sessions, etc. I want it to be very secure, so what I've done is passed the username and password along through the session var's, and each time a page is loaded the page querys the database to make sure the user info is correct.

Is this necessary, or is it a waste of a mysql query?
AlanG
Forum Contributor
Posts: 136
Joined: Wed Jun 10, 2009 1:03 am

Re: PHP Login/Sessions

Post by AlanG »

Where are the sessions being stored? You shouldn't store the user's password in a session variable. It's common practice to log a user in and store a user id or username in a session variable, you can then check the user's permissions on each page load. Common enough method, I do it that way myself.

I wouldn't worry about micro optimisaton, until the system is up and running and doing everything you need it to.
User avatar
tajiknizam
Forum Newbie
Posts: 7
Joined: Tue Aug 18, 2009 6:25 am
Location: Pakistan

Hello

Post by tajiknizam »

No, no need of querying database again and again,

make a session start, and store the username and password in sessions variables,
now each time the page refreshes
or user move to other page the session fuction should be checked, whether server still have
that username and password in his session or not,

try it, its the best way i do
User avatar
jackpf
DevNet Resident
Posts: 2119
Joined: Sun Feb 15, 2009 7:22 pm
Location: Ipswich, UK

Re: PHP Login/Sessions

Post by jackpf »

Storing passwords in sessions is not a good idea. If someone were to steal the session, they'd have the user's username and password. The username alone is not of great importance, but with the password, the hijacker has got complete access to the user's account, for as long as their password is the same.
AlanG
Forum Contributor
Posts: 136
Joined: Wed Jun 10, 2009 1:03 am

Re: PHP Login/Sessions

Post by AlanG »

jackpf wrote:Storing passwords in sessions is not a good idea. If someone were to steal the session, they'd have the user's username and password. The username alone is not of great importance, but with the password, the hijacker has got complete access to the user's account, for as long as their password is the same.
I completely agree. Also, one extra query on every page ain't going to overload your server. If it is, I suggest you switch your hosting provider. :)
If micro optimisation is getting in the way of development, you need to stop micro optimising.
depaya
Forum Newbie
Posts: 3
Joined: Sun Aug 16, 2009 11:51 pm

Re: PHP Login/Sessions

Post by depaya »

Well how possible is it to steal/hijack a session?
User avatar
jackpf
DevNet Resident
Posts: 2119
Joined: Sun Feb 15, 2009 7:22 pm
Location: Ipswich, UK

Re: PHP Login/Sessions

Post by jackpf »

If someone listens to the traffic on your server, or someone implements some XSS to steal the session ID, very easy indeed.
User avatar
Darhazer
DevNet Resident
Posts: 1011
Joined: Thu May 14, 2009 3:00 pm
Location: HellCity, Bulgaria

Re: PHP Login/Sessions

Post by Darhazer »

jackpf wrote:If someone listens to the traffic on your server, or someone implements some XSS to steal the session ID, very easy indeed.
In this way the session ID will be stoled (session hijacking exactly), but not the actual session data (the password, if the password is in the session)
On the other hand, if someone by any chance get access to wherever the session data is stored (file system or database), he can read the session data and steal all the stored passwords and he doesn't need to hijack the session.

So do not store the the password in the session! Also make sure the initial check of username and password => creating the session, is secure. Regenerate the session id after the login (to prevent session fixation). Make sure you have no XSS vulnerabilities as they make session hijacking really easy.

Store the password itself in securely hashed manner (hmac-md5 for example, instead of simple md5)
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: PHP Login/Sessions

Post by kaisellgren »

Store the user id in the session, not the username / the password.

Hijacking into sessions is not amazingly hard. Cracking the session engine itself is harder, but indeed possible. There are no reasons to store usernames or passwords in sessions, so, we do not store them.
Darhazer wrote:Store the password itself in securely hashed manner (hmac-md5 for example, instead of simple md5)
And store it in the session?
depaya
Forum Newbie
Posts: 3
Joined: Sun Aug 16, 2009 11:51 pm

Re: PHP Login/Sessions

Post by depaya »

If it is simple to hijack a session, and someone hijacks a session ID, won't they have access to the user's account then? Is there no way to prevent this?
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: PHP Login/Sessions

Post by kaisellgren »

depaya wrote:If it is simple to hijack a session, and someone hijacks a session ID, won't they have access to the user's account then? Is there no way to prevent this?
If you have hijacked a session, then you are authenticated as the specific user and you are authorized to do pretty much anything he is authorized to do. You can help prevent this by asking the password before doing anything. It is also advisable to loosely tie the session to an IP address. Other than that, there's not much you can do about that than asking for something that the intruder does not know. As for the session hijacking itself, it is not simple to achieve if the site is well secured, so, securing your site well in overall is the key to success. This involves the use of SSL/TLS, strong session identifiers, no vulnerabilities and secure code in general (architecture, design, approaches to different scenarios, principles, ...).
User avatar
Darhazer
DevNet Resident
Posts: 1011
Joined: Thu May 14, 2009 3:00 pm
Location: HellCity, Bulgaria

Re: PHP Login/Sessions

Post by Darhazer »

kaisellgren wrote:Store the user id in the session, not the username / the password.

Hijacking into sessions is not amazingly hard. Cracking the session engine itself is harder, but indeed possible. There are no reasons to store usernames or passwords in sessions, so, we do not store them.
Darhazer wrote:Store the password itself in securely hashed manner (hmac-md5 for example, instead of simple md5)
And store it in the session?
Of course not, my previous paragraph begins with "So do not store the the password in the session"
Post Reply