Session security across multiple pages

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
social_experiment
DevNet Master
Posts: 2793
Joined: Sun Feb 15, 2009 11:08 am
Location: .za

Session security across multiple pages

Post by social_experiment »

I have a blog and at the moment i am working on some code that will mark my comments as 'administrator' comments should i make a comment while logged into the back-end. I use session variables to determine whether the administrator is logged in or not. I plan to use some of the same values, lets say $_SESSION['loggedIn'], on the comments page to determine if the user making the comment is the administrator or not.

My questions regarding this are:

1. After logging in a session is created, and on the comments page i have to use 'session_start()' or i won't be able to test for session variables that have been set during the login. Is there any risk here? Here is part code of my administrator authorize function that is relevant to the question

Code: Select all

<?php
 // 
 if (!isset($_SESSION['loggedIn']) || $_SESSION['loggedIn'] == 0) {
 // user is NOT logged in
 }
?>
And here is the code i plan to use for the comments page to determine whether the poster is the administrator or not

Code: Select all

<?php
 //
 if (isset($_SESSION['loggedIn']) {
 // user is logged in and therefore
 // admin
 }
?>
2. When the comment page is accessed, a cookie is created (automatically) called PHPSESSID. I don't use the cookie in anyway. Does this pose a security risk?
3. Am i correct in saying that the session started when i log into the back-end, is only valid on the computer (or browser) that i am using at that specific time and when i close the browser or logout the session is destroyed?
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
curlybracket
Forum Commoner
Posts: 59
Joined: Mon Nov 29, 2010 2:40 pm

Re: Session security across multiple pages

Post by curlybracket »

1. It seems like standard way to handle sessions and user credentials. Credentials are usually stored in session variables so there is nothing wrong with this method. You have to use session_start() on your comments page of course but you should also remember, that if you will go to another page on your site where you didn't put session_start(), the session will be destroyed and you will have to log-in again in your backend. Solution is to put session_start() on every page of your site or even better, at the top of main controller, usually some index.php file. There is nothing wrong with that.

2. PHP needs this cookie to store session id. Nothing wrong with that.

3. There are many ways to attack session and many ways to improve their security. Google about PHP session security and you will get plenty informations that will make you worried :)
User avatar
social_experiment
DevNet Master
Posts: 2793
Joined: Sun Feb 15, 2009 11:08 am
Location: .za

Re: Session security across multiple pages

Post by social_experiment »

curlybracket wrote:You have to use session_start() on your comments page of course but you should also remember, that if you will go to another page on your site where you didn't put session_start(), the session will be destroyed and you will have to log-in again in your backend. Solution is to put session_start() on every page of your site or even better, at the top of main controller, usually some index.php file. There is nothing wrong with that.
Yip, but I don't need session_start() at the top of every page because only the comments page needs to know when an administrator is logged in, the rest is moot.
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
curlybracket
Forum Commoner
Posts: 59
Joined: Mon Nov 29, 2010 2:40 pm

Re: Session security across multiple pages

Post by curlybracket »

This is true. I'm just sayin, that if you will edit your comment, than navigate somwhere else on your site and than come back to comments module you will no longer be logged in because your session will is destroyed after visiting pages without session_start().
User avatar
social_experiment
DevNet Master
Posts: 2793
Joined: Sun Feb 15, 2009 11:08 am
Location: .za

Re: Session security across multiple pages

Post by social_experiment »

curlybracket wrote:I'm just sayin, that if you will edit your comment, than navigate somwhere else on your site and than come back to comments module you will no longer be logged in because your session will is destroyed after visiting pages without session_start().]
Only if I call session_destroy() at the bottom of the comment page.

I found the following information related to the session ID: The session ID is the key to the session data. By default, PHP will store this in a cookie, which is preferable from a security standpoint. It is possible in PHP to use sessions without cookies, but that leaves the application vulnerable to session hijacking: If I can
learn another user’s session ID, I can easily trick a server into thinking that their session ID is my session ID. At that point I have effectively taken over the original user’s entire session and would have access to their data. So storing the session ID in a cookie makes it somewhat harder to steal.


If i change my script on the comment page in the following manner, how will it affect the security

Code: Select all

<?
 session_start();
 session_regenerate_id();
 // rest of the code
?>
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
cpetercarter
Forum Contributor
Posts: 474
Joined: Sat Jul 25, 2009 2:00 am

Re: Session security across multiple pages

Post by cpetercarter »

I doubt if it will make much difference to the security of your site. It is however important to regenerate the session id when a user successfully logs in.
User avatar
social_experiment
DevNet Master
Posts: 2793
Joined: Sun Feb 15, 2009 11:08 am
Location: .za

Re: Session security across multiple pages

Post by social_experiment »

cpetercarter wrote:It is however important to regenerate the session id when a user successfully logs in.
Yeah but this isn't a login scenario, it's a 'check-if-admin-is-logged-in' scenario. To my reasoning, the session id (PHPSESSID) that is created when i login is let's say valued X. When another user visit's the page (comment page) and the check starts, session_regenerate_id() is called and changes the value of PHPSESSID to something else (let's assume Y) so this new user doesn't have access to the session id value X and thus (according to the excerpt i pasted : The session ID is the key to the session data.) doesn't have access to my session variables. This isn't my only security measures but i'd like to know if this is a option that will keep the common garden variety cracker at bay.
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
Post Reply