PHP Login/Sessions
Moderator: General Moderators
PHP Login/Sessions
I'm sure this is asked a lot. I've built my own, simple, login system using sessions, etc. I want it to be very secure, so what I've done is passed the username and password along through the session var's, and each time a page is loaded the page querys the database to make sure the user info is correct.
Is this necessary, or is it a waste of a mysql query?
Is this necessary, or is it a waste of a mysql query?
Re: PHP Login/Sessions
Where are the sessions being stored? You shouldn't store the user's password in a session variable. It's common practice to log a user in and store a user id or username in a session variable, you can then check the user's permissions on each page load. Common enough method, I do it that way myself.
I wouldn't worry about micro optimisaton, until the system is up and running and doing everything you need it to.
I wouldn't worry about micro optimisaton, until the system is up and running and doing everything you need it to.
- tajiknizam
- Forum Newbie
- Posts: 7
- Joined: Tue Aug 18, 2009 6:25 am
- Location: Pakistan
Hello
No, no need of querying database again and again,
make a session start, and store the username and password in sessions variables,
now each time the page refreshes
or user move to other page the session fuction should be checked, whether server still have
that username and password in his session or not,
try it, its the best way i do
make a session start, and store the username and password in sessions variables,
now each time the page refreshes
or user move to other page the session fuction should be checked, whether server still have
that username and password in his session or not,
try it, its the best way i do
Re: PHP Login/Sessions
Storing passwords in sessions is not a good idea. If someone were to steal the session, they'd have the user's username and password. The username alone is not of great importance, but with the password, the hijacker has got complete access to the user's account, for as long as their password is the same.
Re: PHP Login/Sessions
I completely agree. Also, one extra query on every page ain't going to overload your server. If it is, I suggest you switch your hosting provider.jackpf wrote:Storing passwords in sessions is not a good idea. If someone were to steal the session, they'd have the user's username and password. The username alone is not of great importance, but with the password, the hijacker has got complete access to the user's account, for as long as their password is the same.
If micro optimisation is getting in the way of development, you need to stop micro optimising.
Re: PHP Login/Sessions
Well how possible is it to steal/hijack a session?
Re: PHP Login/Sessions
If someone listens to the traffic on your server, or someone implements some XSS to steal the session ID, very easy indeed.
Re: PHP Login/Sessions
In this way the session ID will be stoled (session hijacking exactly), but not the actual session data (the password, if the password is in the session)jackpf wrote:If someone listens to the traffic on your server, or someone implements some XSS to steal the session ID, very easy indeed.
On the other hand, if someone by any chance get access to wherever the session data is stored (file system or database), he can read the session data and steal all the stored passwords and he doesn't need to hijack the session.
So do not store the the password in the session! Also make sure the initial check of username and password => creating the session, is secure. Regenerate the session id after the login (to prevent session fixation). Make sure you have no XSS vulnerabilities as they make session hijacking really easy.
Store the password itself in securely hashed manner (hmac-md5 for example, instead of simple md5)
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: PHP Login/Sessions
Store the user id in the session, not the username / the password.
Hijacking into sessions is not amazingly hard. Cracking the session engine itself is harder, but indeed possible. There are no reasons to store usernames or passwords in sessions, so, we do not store them.
Hijacking into sessions is not amazingly hard. Cracking the session engine itself is harder, but indeed possible. There are no reasons to store usernames or passwords in sessions, so, we do not store them.
And store it in the session?Darhazer wrote:Store the password itself in securely hashed manner (hmac-md5 for example, instead of simple md5)
Re: PHP Login/Sessions
If it is simple to hijack a session, and someone hijacks a session ID, won't they have access to the user's account then? Is there no way to prevent this?
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: PHP Login/Sessions
If you have hijacked a session, then you are authenticated as the specific user and you are authorized to do pretty much anything he is authorized to do. You can help prevent this by asking the password before doing anything. It is also advisable to loosely tie the session to an IP address. Other than that, there's not much you can do about that than asking for something that the intruder does not know. As for the session hijacking itself, it is not simple to achieve if the site is well secured, so, securing your site well in overall is the key to success. This involves the use of SSL/TLS, strong session identifiers, no vulnerabilities and secure code in general (architecture, design, approaches to different scenarios, principles, ...).depaya wrote:If it is simple to hijack a session, and someone hijacks a session ID, won't they have access to the user's account then? Is there no way to prevent this?
Re: PHP Login/Sessions
Of course not, my previous paragraph begins with "So do not store the the password in the session"kaisellgren wrote:Store the user id in the session, not the username / the password.
Hijacking into sessions is not amazingly hard. Cracking the session engine itself is harder, but indeed possible. There are no reasons to store usernames or passwords in sessions, so, we do not store them.
And store it in the session?Darhazer wrote:Store the password itself in securely hashed manner (hmac-md5 for example, instead of simple md5)