Regex, SSL on session variables?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
mottwsc
Forum Commoner
Posts: 55
Joined: Sun Dec 23, 2007 8:01 pm

Regex, SSL on session variables?

Post by mottwsc »

I create session variables upon a successful login for holding items between pages. For example: username, preferences and authorization.

(1) When I read from those session variables on the following pages, should I use something like a regex to revalidate what I'm reading from the session variable, or is this overkill?

(2) If I use SSL on my site, does this eliminate the need to do this since it will better protect the session variables?

Thanks!
User avatar
flying_circus
Forum Regular
Posts: 732
Joined: Wed Mar 05, 2008 10:23 pm
Location: Sunriver, OR

Re: Regex, SSL on session variables?

Post by flying_circus »

mottwsc wrote:I create session variables upon a successful login for holding items between pages. For example: username, preferences and authorization.
I never store user credentials in sessions. Storing a user id (something not required to log in) would be a better solution.
mottwsc wrote: (1) When I read from those session variables on the following pages, should I use something like a regex to revalidate what I'm reading from the session variable, or is this overkill?
Session data is stored on the server. While it is possible that it can be compromised, what are you going to validate it against? The better option is to take precautions to protect your data (i.e. storing the session files in a non-shared directory, or in a database).
mottwsc wrote: (2) If I use SSL on my site, does this eliminate the need to do this since it will better protect the session variables?

Thanks!
No, SSL protects data transmitted from server to client and vice versa. Since your session data is stored on the server, ssl will do nothing to protect it. SSL will however, encrypt the session id as it is in transit between client and server, which is a requirement for secure pages.
mottwsc
Forum Commoner
Posts: 55
Joined: Sun Dec 23, 2007 8:01 pm

Re: Regex, SSL on session variables?

Post by mottwsc »

Thanks for your suggestions.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Regex, SSL on session variables?

Post by kaisellgren »

Use the database column ID to identify the user, not the username.
mottwsc wrote:(1) When I read from those session variables on the following pages, should I use something like a regex to revalidate what I'm reading from the session variable, or is this overkill?
What are you doing exactly? If you are, say, outputting a session variable, encode/filter it. If you are passing session data into the database, escape it. And so forth.
mottwsc
Forum Commoner
Posts: 55
Joined: Sun Dec 23, 2007 8:01 pm

Re: Regex, SSL on session variables?

Post by mottwsc »

I will switch to using a DB user ID in a session variable instead of the user name. On that note, I have used a sequential number for user ID in the past, but couldn't that be a risk since a hacker could run through a series of numbers and finally hit one? Wouldn't it be better to keep a number ID in one DB field, then append a random string of (six or so) numbers/characters to it and populate the user ID field with that?
What are you doing exactly? If you are, say, outputting a session variable, encode/filter it. If you are passing session data into the database, escape it. And so forth.
Once I validate a user on login, I assign several session variables such as their ID, whether or not they are a regular or trial user, what status they have, etc. There are general pages (like contact) that both logged-in and non-logged-in users can access. I need to read these session variables at the beginning of each page to determine what to show on a page. If (staying with the contact example) a user is not logged in, she sees a generic contact page. If a user is logged in, she sees a contact page that is already prefilled with her contact info. There are also specific pages that only a logged-in user can get to.

In certain cases, I'm just reading the session variable and branching to some code based on that. In other cases, I'm using the session variable in a query against the database. So, I'll plan to filter them each time I use them for a query just like any user input.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Regex, SSL on session variables?

Post by kaisellgren »

mottwsc wrote:I will switch to using a DB user ID in a session variable instead of the user name. On that note, I have used a sequential number for user ID in the past, but couldn't that be a risk since a hacker could run through a series of numbers and finally hit one? Wouldn't it be better to keep a number ID in one DB field, then append a random string of (six or so) numbers/characters to it and populate the user ID field with that?
The ID is only stored in the session so that your application knows to look for the right column in the database. It's basically a foreign key.
mottwsc wrote:If a user is logged in, she sees a contact page that is already prefilled with her contact info.
You need to handle the prefilled data like any other user supplied data. Encode it before placing it on the form to prevent XSS. And as you said, you need to also handle data that goes to the database just like any other user input.
mottwsc
Forum Commoner
Posts: 55
Joined: Sun Dec 23, 2007 8:01 pm

Re: Regex, SSL on session variables?

Post by mottwsc »

I have questions about two things you wrote.
The ID is only stored in the session so that your application knows to look for the right column in the database. It's basically a foreign key.
I understand foreign keys, but that applies when you have more than one table and, for example, column 2 in table 1 needs to map to column 4 in table 2. In my case, I'm logging someone in based on a single table - Users - that contains the user ID (which will be used in the session variable for tracking), user name, password and other info. So I'm not sure what you mean, and I was suggesting making the userID more complex so that it couldn't be guessed so easily.
Encode it before placing it on the form to prevent XSS.
I do check the pre-filled user data after the form is submitted and before adding it to the database, so is there a need to encode it prior to placing it on the form? The user could change it anyway before submittal.

Thanks.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Regex, SSL on session variables?

Post by kaisellgren »

mottwsc wrote:I was suggesting making the userID more complex so that it couldn't be guessed so easily.
It does not really matter whether it can be guessed or not. At least it shouldn't. Your user ID is 35648 here, but that will have no affect on hijacking into your session nor can I access your details unless phpBB has a bug somewhere that reveals sensitive information.
mottwsc wrote:is there a need to encode it prior to placing it on the form? The user could change it anyway before submittal.
I was talking about XSS (Cross Site Scripting).
mottwsc
Forum Commoner
Posts: 55
Joined: Sun Dec 23, 2007 8:01 pm

Re: Regex, SSL on session variables?

Post by mottwsc »

OK - thanks for your posts.
Post Reply