Regex, SSL on session variables?
Moderator: General Moderators
Regex, SSL on session variables?
I create session variables upon a successful login for holding items between pages. For example: username, preferences and authorization.
(1) When I read from those session variables on the following pages, should I use something like a regex to revalidate what I'm reading from the session variable, or is this overkill?
(2) If I use SSL on my site, does this eliminate the need to do this since it will better protect the session variables?
Thanks!
(1) When I read from those session variables on the following pages, should I use something like a regex to revalidate what I'm reading from the session variable, or is this overkill?
(2) If I use SSL on my site, does this eliminate the need to do this since it will better protect the session variables?
Thanks!
- flying_circus
- Forum Regular
- Posts: 732
- Joined: Wed Mar 05, 2008 10:23 pm
- Location: Sunriver, OR
Re: Regex, SSL on session variables?
I never store user credentials in sessions. Storing a user id (something not required to log in) would be a better solution.mottwsc wrote:I create session variables upon a successful login for holding items between pages. For example: username, preferences and authorization.
Session data is stored on the server. While it is possible that it can be compromised, what are you going to validate it against? The better option is to take precautions to protect your data (i.e. storing the session files in a non-shared directory, or in a database).mottwsc wrote: (1) When I read from those session variables on the following pages, should I use something like a regex to revalidate what I'm reading from the session variable, or is this overkill?
No, SSL protects data transmitted from server to client and vice versa. Since your session data is stored on the server, ssl will do nothing to protect it. SSL will however, encrypt the session id as it is in transit between client and server, which is a requirement for secure pages.mottwsc wrote: (2) If I use SSL on my site, does this eliminate the need to do this since it will better protect the session variables?
Thanks!
Re: Regex, SSL on session variables?
Thanks for your suggestions.
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: Regex, SSL on session variables?
Use the database column ID to identify the user, not the username.
What are you doing exactly? If you are, say, outputting a session variable, encode/filter it. If you are passing session data into the database, escape it. And so forth.mottwsc wrote:(1) When I read from those session variables on the following pages, should I use something like a regex to revalidate what I'm reading from the session variable, or is this overkill?
Re: Regex, SSL on session variables?
I will switch to using a DB user ID in a session variable instead of the user name. On that note, I have used a sequential number for user ID in the past, but couldn't that be a risk since a hacker could run through a series of numbers and finally hit one? Wouldn't it be better to keep a number ID in one DB field, then append a random string of (six or so) numbers/characters to it and populate the user ID field with that?
In certain cases, I'm just reading the session variable and branching to some code based on that. In other cases, I'm using the session variable in a query against the database. So, I'll plan to filter them each time I use them for a query just like any user input.
Once I validate a user on login, I assign several session variables such as their ID, whether or not they are a regular or trial user, what status they have, etc. There are general pages (like contact) that both logged-in and non-logged-in users can access. I need to read these session variables at the beginning of each page to determine what to show on a page. If (staying with the contact example) a user is not logged in, she sees a generic contact page. If a user is logged in, she sees a contact page that is already prefilled with her contact info. There are also specific pages that only a logged-in user can get to.What are you doing exactly? If you are, say, outputting a session variable, encode/filter it. If you are passing session data into the database, escape it. And so forth.
In certain cases, I'm just reading the session variable and branching to some code based on that. In other cases, I'm using the session variable in a query against the database. So, I'll plan to filter them each time I use them for a query just like any user input.
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: Regex, SSL on session variables?
The ID is only stored in the session so that your application knows to look for the right column in the database. It's basically a foreign key.mottwsc wrote:I will switch to using a DB user ID in a session variable instead of the user name. On that note, I have used a sequential number for user ID in the past, but couldn't that be a risk since a hacker could run through a series of numbers and finally hit one? Wouldn't it be better to keep a number ID in one DB field, then append a random string of (six or so) numbers/characters to it and populate the user ID field with that?
You need to handle the prefilled data like any other user supplied data. Encode it before placing it on the form to prevent XSS. And as you said, you need to also handle data that goes to the database just like any other user input.mottwsc wrote:If a user is logged in, she sees a contact page that is already prefilled with her contact info.
Re: Regex, SSL on session variables?
I have questions about two things you wrote.
Thanks.
I understand foreign keys, but that applies when you have more than one table and, for example, column 2 in table 1 needs to map to column 4 in table 2. In my case, I'm logging someone in based on a single table - Users - that contains the user ID (which will be used in the session variable for tracking), user name, password and other info. So I'm not sure what you mean, and I was suggesting making the userID more complex so that it couldn't be guessed so easily.The ID is only stored in the session so that your application knows to look for the right column in the database. It's basically a foreign key.
I do check the pre-filled user data after the form is submitted and before adding it to the database, so is there a need to encode it prior to placing it on the form? The user could change it anyway before submittal.Encode it before placing it on the form to prevent XSS.
Thanks.
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: Regex, SSL on session variables?
It does not really matter whether it can be guessed or not. At least it shouldn't. Your user ID is 35648 here, but that will have no affect on hijacking into your session nor can I access your details unless phpBB has a bug somewhere that reveals sensitive information.mottwsc wrote:I was suggesting making the userID more complex so that it couldn't be guessed so easily.
I was talking about XSS (Cross Site Scripting).mottwsc wrote:is there a need to encode it prior to placing it on the form? The user could change it anyway before submittal.
Re: Regex, SSL on session variables?
OK - thanks for your posts.