Php Sesssion

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
ko_sAnton
Forum Newbie
Posts: 1
Joined: Wed Apr 13, 2011 3:08 am

Php Sesssion

Post by ko_sAnton »

I have write a simple script for login, and when you login, start a session.
When i logout, i use session_destroy();..

Now in the browser(firefox) if i click the button "Go Back one Page", i have the session that i destroy before...

How can i fix it?
User avatar
social_experiment
DevNet Master
Posts: 2793
Joined: Sun Feb 15, 2009 11:08 am
Location: .za

Re: Php Sesssion

Post by social_experiment »

Firstly, it goes a bit faster if you paste your script. It's possible that you are setting certain values during login process but you don't destroy them and when you go back, those values are still 'active'.
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
dukenmarga
Forum Newbie
Posts: 1
Joined: Sat Mar 12, 2011 7:32 pm

Re: Php Sesssion

Post by dukenmarga »

i have 2 opinions about this:
1. i think when you back to request your last page, there are lines in your last page that useful to activate your session, so, you see that you have your session again
2. when you go back to your last page, your last page only show the last view, in this case, when you have session, but the session had changed. try to reload your page to see the new view from page.
User avatar
waytoecommerce
Forum Newbie
Posts: 16
Joined: Tue Apr 12, 2011 11:47 am

Re: Php Sesssion

Post by waytoecommerce »

given below code is fully secure and once the session get destroyed it will never starts. Please read each line care fully.

Code: Select all

$result = $login_data->logi($_REQUEST['user_name'],$_REQUEST['password']);  
 
 $secret = SECRET_KEY.date('d');
 $pfid = $result[0];
 $hash = sha1($secret . $id);
   
 if($result[1] == 1) {
  $_SESSION['user_name'] = $_REQUEST['user_name'];
  $_SESSION['hash'] = $hash;
  header("Location: yoururl.html");
Logi Function :

Code: Select all

public function logi($data1,$data2) {
   $query = mysql_fetch_array(mysql_query("SELECT profile_id, username,password,status FROM user WHERE username 	='$data1'"));
   $num = mysql_num_rows(mysql_query("SELECT username, password FROM user WHERE username='$data1'"));
   $secret = SECRET_KEY;   
   if($num >= 0) {
     if($data1 == $query['username'] && sha1($secret . $data2) == $query['password'] && $query['status'] == 1) {
      
	  $_SESSION['user_name'] = $query['username'];	  
	  $s = new fetch();
	  
	  $s->status_change($query['username']);
	  return array($query['profile_id'], 1);
	 
	 } else {      
	  return 0;
     }
   } else {     
	 return 0;
   }   	    
 }
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Php Sesssion

Post by Mordred »

waytoecommerce wrote:given below code is fully secure
No, it isn't. There are multiple security problems with this code and not a single attempt at solving them. I suggest you review what you know about SQL injection and the header() function.
User avatar
waytoecommerce
Forum Newbie
Posts: 16
Joined: Tue Apr 12, 2011 11:47 am

Re: Php Sesssion

Post by waytoecommerce »

We have answered regarding the session_destroy() issue not about the sql injection.
For making the code more secure we have to include sql injection restriction via .htaccess file and there other more other method to do it.
Security of web application is very broad area.
User avatar
social_experiment
DevNet Master
Posts: 2793
Joined: Sun Feb 15, 2009 11:08 am
Location: .za

Re: Php Sesssion

Post by social_experiment »

waytoecommerce wrote:We have answered regarding the session_destroy() issue not about the sql injection.
True, but security should be second nature when creating code :)
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Php Sesssion

Post by Mordred »

waytoecommerce wrote:For making the code more secure we have to include sql injection restriction via .htaccess file and there other more other method to do it.
I'm sorry, but I think you don't know what you are talking about. This is not how one protects against SQL injection, it's by using proper SQL syntax and escaping (see the article in my sig).
I'm curious to see what you do with .htaccess though, it's the first time I see someone trying to use it for that purpose.
xtiano77
Forum Commoner
Posts: 72
Joined: Tue Sep 22, 2009 10:53 am
Location: Texas

Re: Php Sesssion

Post by xtiano77 »

I use the code below on my logout page and with the exception of the "Epiphay" web browser it works pretty good on Internet Explorer, Firefox and Safari.

Code: Select all

public function destroySession(){
	$_POST			= array();
	$_GET			= array();
	$_SESSION		= array();
	session_destroy();
	setcookie("PHPSESSID", "", time() - 1200, "/", ".yourwebsitehere.com");
}

public function createNewSession(){
	session_regenerate_id(true);
	session_write_close();
	session_start();
	# your code here...
}

public function validateSession(){
	try{
		$this -> checkSessionTimer();
		$this -> checkUserIpAddress();
		$this -> checkSessionBrowser();
	}catch(Exception $e){
		header("Location: http://www.yourwebsitehere.com/yourpagehere.php");
	}
}
Now, I am sure there are more secure ways to do it that the above, but like I've said earlier this has worked pretty good for me so far. The first method/function begins by clearing the $_POST and $_GET arrays followed by all the values of the $_SESSION variable. Then it calls the "session_destroy( )" method. Afterwards, if a person tries tries to access a page by clicking on the browser's "back" button the "validateSession( )" method/function will check to see if the necessary $_SESSION variables are set and if they are not, which is the idea, then it throws an exception therefore stopping the remaining of the code and redirecting the page to the one specified in the "catch( )" code block.

Afterwards, if a person tries to log back into the site the system calls the "session_regenerate_id(true)", which creates a new session id and deletes the current $_SESSION file upon completion of the script. It then calls the "session_write_close( )" which closes and saves the session data (this is normally done by default at the end of each script-- and follows by a call to "session_start( )" and from that point on you are using an entire new $_SESSION variable with whatever values you want to assign to them.

I know this is perhaps a simplistic solution to the problem, but if the more senior PHP codes out there have a better approach to this issue I would love to see it and learn from it. Hope this helps. Cheers!!!

xtiano77
User avatar
flying_circus
Forum Regular
Posts: 732
Joined: Wed Mar 05, 2008 10:23 pm
Location: Sunriver, OR

Re: Php Sesssion

Post by flying_circus »

xtiano77 wrote:

Code: Select all

public function destroySession(){
	$_POST			= array();
	$_GET			= array();
	$_SESSION		= array();
	session_destroy();
	setcookie("PHPSESSID", "", time() - 1200, "/", ".yourwebsitehere.com");
}

public function createNewSession(){
	session_regenerate_id(true);
	session_write_close();
	session_start();
	# your code here...
}

public function validateSession(){
	try{
		$this -> checkSessionTimer();
		$this -> checkUserIpAddress();
		$this -> checkSessionBrowser();
	}catch(Exception $e){
		header("Location: http://www.yourwebsitehere.com/yourpagehere.php");
	}
}
- Why do you empty the $_GET and $_POST vars in destroySession()?
- What happens if the session_name() is not PHPSESSID?
- Why do you regenerate the session id, close the session, and then start a new one in createNewSession()?
xtiano77
Forum Commoner
Posts: 72
Joined: Tue Sep 22, 2009 10:53 am
Location: Texas

Re: Php Sesssion

Post by xtiano77 »

- Why do you empty the $_GET and $_POST vars in destroySession( )?
* Just wanted to remove any and all date provided by the user during the session. It is a matter of choice really.
- What happens if the session_name( ) is not PHPSESSID?
* I used the default name assigned by PHP, and because it is he name of the cookie sent to the browser.
- Why do you regenerate the session id, close the session, and then start a new one in createNewSession( )?
* One reason, to prevent session hijacking. It can help foil session fixation attacks.
* If you obtain someone's session ID you can effectively log in as them. If the session ID changes frequently, the chance of a compromised session ID still being active decreases.
* A general rule of thumb is to generate the session ID each time a user changes his access level.
When a user log in
When a user log out
When a user get administrative access
* Some people think that the session ID should be regenerated every 10 transactions/requests or so, but I only do it at login.
User avatar
flying_circus
Forum Regular
Posts: 732
Joined: Wed Mar 05, 2008 10:23 pm
Location: Sunriver, OR

Re: Php Sesssion

Post by flying_circus »

xtiano77 wrote:- Why do you empty the $_GET and $_POST vars in destroySession( )?
* Just wanted to remove any and all date provided by the user during the session. It is a matter of choice really.
Ok, I suppose every situation is different.

In a more typical scenario, $_GET and $_POST dont persist, there is no reason to destroy them, especially if you are about to redirect. $_GET should contain only a minimum of information, ideally just navigation vars. If you destroy your navigation vars you'd likely have to redirect to the default home page.
xtiano77 wrote: - What happens if the session_name( ) is not PHPSESSID?
* I used the default name assigned by PHP, and because it is he name of the cookie sent to the browser.
Sure, but the session name can be changed both in the configuration and at runtime. You should use session_name() to fetch the session name, so there is no guesswork involved.

Code: Select all

setcookie(session_name(), "", time() - 1200, "/", ".yourwebsitehere.com");
xtiano77 wrote: - Why do you regenerate the session id, close the session, and then start a new one in createNewSession( )?
* One reason, to prevent session hijacking. It can help foil session fixation attacks.
* If you obtain someone's session ID you can effectively log in as them. If the session ID changes frequently, the chance of a compromised session ID still being active decreases.
* A general rule of thumb is to generate the session ID each time a user changes his access level.
When a user log in
When a user log out
When a user get administrative access
* Some people think that the session ID should be regenerated every 10 transactions/requests or so, but I only do it at login.
I understand what you mean, but the order of operations in your code is to:
1. Regenerate Session Id (i.e. change the id of the current session)
2. Close the current session
3. Start the session again.

Why not skip steps 2 and 3?
xtiano77
Forum Commoner
Posts: 72
Joined: Tue Sep 22, 2009 10:53 am
Location: Texas

Re: Php Sesssion

Post by xtiano77 »

flying_circus,

Thanks for the session_name( ) suggestion, it hadn't thought about it.

As far as the session_regenerate_id( ), I just don't feel like waiting until PHP calls the session_write_close( ) at the end of the script. I want to make sure it is called when I want it called.

Also, the $_GET var will normally have a value. After the logout link is clicked the page is redirected to a script which after clearing all the data, it assigns a message which in turn will be displayed to the user via JavaScript.
User avatar
Apollo
Forum Regular
Posts: 794
Joined: Wed Apr 30, 2008 2:34 am

Re: Php Sesssion

Post by Apollo »

waytoecommerce wrote:For making the code more secure we have to include sql injection restriction via .htaccess file
Wait... What? How?? :?:
(you ever heard of mysql_real_escape_string?)
Post Reply