Page 1 of 1
Session security across multiple pages
Posted: Wed Dec 01, 2010 3:50 am
by social_experiment
I have a blog and at the moment i am working on some code that will mark my comments as 'administrator' comments should i make a comment while logged into the back-end. I use session variables to determine whether the administrator is logged in or not. I plan to use some of the same values, lets say
$_SESSION['loggedIn'], on the comments page to determine if the user making the comment is the administrator or not.
My questions regarding this are:
1. After logging in a session is created, and on the comments page i have to use 'session_start()' or i won't be able to test for session variables that have been set during the login. Is there any risk here? Here is part code of my administrator authorize function that is relevant to the question
Code: Select all
<?php
//
if (!isset($_SESSION['loggedIn']) || $_SESSION['loggedIn'] == 0) {
// user is NOT logged in
}
?>
And here is the code i plan to use for the comments page to determine whether the poster is the administrator or not
Code: Select all
<?php
//
if (isset($_SESSION['loggedIn']) {
// user is logged in and therefore
// admin
}
?>
2. When the comment page is accessed, a cookie is created (automatically) called PHPSESSID. I don't use the cookie in anyway. Does this pose a security risk?
3. Am i correct in saying that the session started when i log into the back-end, is only valid on the computer (or browser) that i am using at that specific time and when i close the browser or logout the session is destroyed?
Re: Session security across multiple pages
Posted: Wed Dec 01, 2010 10:22 am
by curlybracket
1. It seems like standard way to handle sessions and user credentials. Credentials are usually stored in session variables so there is nothing wrong with this method. You have to use session_start() on your comments page of course but you should also remember, that if you will go to another page on your site where you didn't put session_start(), the session will be destroyed and you will have to log-in again in your backend. Solution is to put session_start() on every page of your site or even better, at the top of main controller, usually some index.php file. There is nothing wrong with that.
2. PHP needs this cookie to store session id. Nothing wrong with that.
3. There are many ways to attack session and many ways to improve their security. Google about PHP session security and you will get plenty informations that will make you worried

Re: Session security across multiple pages
Posted: Wed Dec 01, 2010 11:08 am
by social_experiment
curlybracket wrote:You have to use session_start() on your comments page of course but you should also remember, that if you will go to another page on your site where you didn't put session_start(), the session will be destroyed and you will have to log-in again in your backend. Solution is to put session_start() on every page of your site or even better, at the top of main controller, usually some index.php file. There is nothing wrong with that.
Yip, but I don't need session_start() at the top of every page because only the comments page needs to know when an administrator is logged in, the rest is moot.
Re: Session security across multiple pages
Posted: Wed Dec 01, 2010 12:03 pm
by curlybracket
This is true. I'm just sayin, that if you will edit your comment, than navigate somwhere else on your site and than come back to comments module you will no longer be logged in because your session will is destroyed after visiting pages without session_start().
Re: Session security across multiple pages
Posted: Thu Dec 02, 2010 3:49 am
by social_experiment
curlybracket wrote:I'm just sayin, that if you will edit your comment, than navigate somwhere else on your site and than come back to comments module you will no longer be logged in because your session will is destroyed after visiting pages without session_start().]
Only if I call
session_destroy() at the bottom of the comment page.
I found the following information related to the session ID:
The session ID is the key to the session data. By default, PHP will store this in a cookie, which is preferable from a security standpoint. It is possible in PHP to use sessions without cookies, but that leaves the application vulnerable to session hijacking: If I can
learn another user’s session ID, I can easily trick a server into thinking that their session ID is my session ID. At that point I have effectively taken over the original user’s entire session and would have access to their data. So storing the session ID in a cookie makes it somewhat harder to steal.
If i change my script on the comment page in the following manner, how will it affect the security
Code: Select all
<?
session_start();
session_regenerate_id();
// rest of the code
?>
Re: Session security across multiple pages
Posted: Sat Dec 04, 2010 1:40 am
by cpetercarter
I doubt if it will make much difference to the security of your site. It is however important to regenerate the session id when a user successfully logs in.
Re: Session security across multiple pages
Posted: Mon Dec 06, 2010 12:30 pm
by social_experiment
cpetercarter wrote:It is however important to regenerate the session id when a user successfully logs in.
Yeah but this isn't a login scenario, it's a 'check-if-admin-is-logged-in' scenario. To my reasoning, the session id (PHPSESSID) that is created when i login is let's say valued X. When another user visit's the page (comment page) and the check starts,
session_regenerate_id() is called and changes the value of PHPSESSID to something else (let's assume Y) so this new user doesn't have access to the session id value X and thus (according to the excerpt i pasted :
The session ID is the key to the session data.) doesn't have access to my session variables. This isn't my only security measures but i'd like to know if this is a option that will keep the common garden variety cracker at bay.