Page 1 of 1

Regex, SSL on session variables?

Posted: Fri Jan 01, 2010 3:14 pm
by mottwsc
I create session variables upon a successful login for holding items between pages. For example: username, preferences and authorization.

(1) When I read from those session variables on the following pages, should I use something like a regex to revalidate what I'm reading from the session variable, or is this overkill?

(2) If I use SSL on my site, does this eliminate the need to do this since it will better protect the session variables?

Thanks!

Re: Regex, SSL on session variables?

Posted: Fri Jan 01, 2010 3:31 pm
by flying_circus
mottwsc wrote:I create session variables upon a successful login for holding items between pages. For example: username, preferences and authorization.
I never store user credentials in sessions. Storing a user id (something not required to log in) would be a better solution.
mottwsc wrote: (1) When I read from those session variables on the following pages, should I use something like a regex to revalidate what I'm reading from the session variable, or is this overkill?
Session data is stored on the server. While it is possible that it can be compromised, what are you going to validate it against? The better option is to take precautions to protect your data (i.e. storing the session files in a non-shared directory, or in a database).
mottwsc wrote: (2) If I use SSL on my site, does this eliminate the need to do this since it will better protect the session variables?

Thanks!
No, SSL protects data transmitted from server to client and vice versa. Since your session data is stored on the server, ssl will do nothing to protect it. SSL will however, encrypt the session id as it is in transit between client and server, which is a requirement for secure pages.

Re: Regex, SSL on session variables?

Posted: Fri Jan 01, 2010 5:22 pm
by mottwsc
Thanks for your suggestions.

Re: Regex, SSL on session variables?

Posted: Sat Jan 02, 2010 11:01 am
by kaisellgren
Use the database column ID to identify the user, not the username.
mottwsc wrote:(1) When I read from those session variables on the following pages, should I use something like a regex to revalidate what I'm reading from the session variable, or is this overkill?
What are you doing exactly? If you are, say, outputting a session variable, encode/filter it. If you are passing session data into the database, escape it. And so forth.

Re: Regex, SSL on session variables?

Posted: Sat Jan 02, 2010 2:30 pm
by mottwsc
I will switch to using a DB user ID in a session variable instead of the user name. On that note, I have used a sequential number for user ID in the past, but couldn't that be a risk since a hacker could run through a series of numbers and finally hit one? Wouldn't it be better to keep a number ID in one DB field, then append a random string of (six or so) numbers/characters to it and populate the user ID field with that?
What are you doing exactly? If you are, say, outputting a session variable, encode/filter it. If you are passing session data into the database, escape it. And so forth.
Once I validate a user on login, I assign several session variables such as their ID, whether or not they are a regular or trial user, what status they have, etc. There are general pages (like contact) that both logged-in and non-logged-in users can access. I need to read these session variables at the beginning of each page to determine what to show on a page. If (staying with the contact example) a user is not logged in, she sees a generic contact page. If a user is logged in, she sees a contact page that is already prefilled with her contact info. There are also specific pages that only a logged-in user can get to.

In certain cases, I'm just reading the session variable and branching to some code based on that. In other cases, I'm using the session variable in a query against the database. So, I'll plan to filter them each time I use them for a query just like any user input.

Re: Regex, SSL on session variables?

Posted: Sat Jan 02, 2010 2:52 pm
by kaisellgren
mottwsc wrote:I will switch to using a DB user ID in a session variable instead of the user name. On that note, I have used a sequential number for user ID in the past, but couldn't that be a risk since a hacker could run through a series of numbers and finally hit one? Wouldn't it be better to keep a number ID in one DB field, then append a random string of (six or so) numbers/characters to it and populate the user ID field with that?
The ID is only stored in the session so that your application knows to look for the right column in the database. It's basically a foreign key.
mottwsc wrote:If a user is logged in, she sees a contact page that is already prefilled with her contact info.
You need to handle the prefilled data like any other user supplied data. Encode it before placing it on the form to prevent XSS. And as you said, you need to also handle data that goes to the database just like any other user input.

Re: Regex, SSL on session variables?

Posted: Sat Jan 02, 2010 3:27 pm
by mottwsc
I have questions about two things you wrote.
The ID is only stored in the session so that your application knows to look for the right column in the database. It's basically a foreign key.
I understand foreign keys, but that applies when you have more than one table and, for example, column 2 in table 1 needs to map to column 4 in table 2. In my case, I'm logging someone in based on a single table - Users - that contains the user ID (which will be used in the session variable for tracking), user name, password and other info. So I'm not sure what you mean, and I was suggesting making the userID more complex so that it couldn't be guessed so easily.
Encode it before placing it on the form to prevent XSS.
I do check the pre-filled user data after the form is submitted and before adding it to the database, so is there a need to encode it prior to placing it on the form? The user could change it anyway before submittal.

Thanks.

Re: Regex, SSL on session variables?

Posted: Sat Jan 02, 2010 4:07 pm
by kaisellgren
mottwsc wrote:I was suggesting making the userID more complex so that it couldn't be guessed so easily.
It does not really matter whether it can be guessed or not. At least it shouldn't. Your user ID is 35648 here, but that will have no affect on hijacking into your session nor can I access your details unless phpBB has a bug somewhere that reveals sensitive information.
mottwsc wrote:is there a need to encode it prior to placing it on the form? The user could change it anyway before submittal.
I was talking about XSS (Cross Site Scripting).

Re: Regex, SSL on session variables?

Posted: Sat Jan 02, 2010 4:34 pm
by mottwsc
OK - thanks for your posts.