Sessions.... Just how secure are they?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
Noodleyman
Forum Newbie
Posts: 23
Joined: Thu Jun 23, 2011 4:49 pm

Sessions.... Just how secure are they?

Post by Noodleyman »

Just a random, very open question this one. I wrote a login system which I believe to be very secure, however I put a lot of faith in PHP sessions without really know, just how secure are they?

For instance, lets say a user has passed all validation, and a session is created with information registered. Is the registered information in that session safe? Is it possible to trick the server into creating sessions etc?

Just random end of day questions :)
User avatar
social_experiment
DevNet Master
Posts: 2793
Joined: Sun Feb 15, 2009 11:08 am
Location: .za

Re: Sessions.... Just how secure are they?

Post by social_experiment »

It depends on how you pass along the values, in a cookie, in a url. Those values could be taken from the url (or cookie) and used (session fixation & session hijacking). Also if im not mistaken, if you share your webserver with others, those session values could be accessable to them.
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
User avatar
flying_circus
Forum Regular
Posts: 732
Joined: Wed Mar 05, 2008 10:23 pm
Location: Sunriver, OR

Re: Sessions.... Just how secure are they?

Post by flying_circus »

If your are using file based sessions, then it would be in your best interest to change the session.save_path directive to a directory within your account root (and outside the www root).
Noodleyman
Forum Newbie
Posts: 23
Joined: Thu Jun 23, 2011 4:49 pm

Re: Sessions.... Just how secure are they?

Post by Noodleyman »

social_experiment wrote:It depends on how you pass along the values, in a cookie, in a url. Those values could be taken from the url (or cookie) and used (session fixation & session hijacking). Also if im not mistaken, if you share your webserver with others, those session values could be accessable to them.
I have already considered those elements, I do not use cookies (Hate them!), I never pass the sessionID in any form data, you don't really need to. so that data is not available from URL's, and dedicated server is always the way forward because I dont like to share ;)

yay :D
Noodleyman
Forum Newbie
Posts: 23
Joined: Thu Jun 23, 2011 4:49 pm

Re: Sessions.... Just how secure are they?

Post by Noodleyman »

flying_circus wrote:If your are using file based sessions, then it would be in your best interest to change the session.save_path directive to a directory within your account root (and outside the www root).
good advice, I will double check this.
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Re: Sessions.... Just how secure are they?

Post by superdezign »

Noodleyman wrote:I do not use cookies (Hate them!)
Why? Cookies are used to save information between page requests. If you don't use cookies, the only way to do this is to add the data to the page requests via GET and POST data. Since most page requests are GET requests (i.e. clicking an anchor), you'd have to send data through GET data via the query string. This not only forces the data to be output (multiple times, likely) in the server response, but also lengthens your URLs.
User avatar
social_experiment
DevNet Master
Posts: 2793
Joined: Sun Feb 15, 2009 11:08 am
Location: .za

Re: Sessions.... Just how secure are they?

Post by social_experiment »

Noodleyman wrote:I do not use cookies
Neither do i (and not because i hate them) but set a session and using your browser, check if any cookies have been set.
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
User avatar
flying_circus
Forum Regular
Posts: 732
Joined: Wed Mar 05, 2008 10:23 pm
Location: Sunriver, OR

Re: Sessions.... Just how secure are they?

Post by flying_circus »

Noodleyman wrote:I do not use cookies (Hate them!), I never pass the sessionID in any form data, you don't really need to. so that data is not available from URL's
How are you keeping track of user sessions? As far as I know, the only ways to track a user session is to maintain the id in a cookie, url querystring, or make it really hard and use post vars. If you're not using any of those methods, how are you tracking the session?
User avatar
AbraCadaver
DevNet Master
Posts: 2572
Joined: Mon Feb 24, 2003 10:12 am
Location: The Republic of Texas
Contact:

Re: Sessions.... Just how secure are they?

Post by AbraCadaver »

flying_circus wrote:
Noodleyman wrote:I do not use cookies (Hate them!), I never pass the sessionID in any form data, you don't really need to. so that data is not available from URL's
How are you keeping track of user sessions? As far as I know, the only ways to track a user session is to maintain the id in a cookie, url querystring, or make it really hard and use post vars. If you're not using any of those methods, how are you tracking the session?
Yes, and cookie based sessions are the default.
mysql_function(): WARNING: This extension is deprecated as of PHP 5.5.0, and will be removed in the future. Instead, the MySQLi or PDO_MySQLextension should be used. See also MySQL: choosing an API guide and related FAQ for more information.
Noodleyman
Forum Newbie
Posts: 23
Joined: Thu Jun 23, 2011 4:49 pm

Re: Sessions.... Just how secure are they?

Post by Noodleyman »

flying_circus wrote:
Noodleyman wrote:I do not use cookies (Hate them!), I never pass the sessionID in any form data, you don't really need to. so that data is not available from URL's
How are you keeping track of user sessions? As far as I know, the only ways to track a user session is to maintain the id in a cookie, url querystring, or make it really hard and use post vars. If you're not using any of those methods, how are you tracking the session?
Stored in MySQL DB.

I do not allow users to remain logged in for any longer than my session expiration time.

I also do not allow users to use things such as "remember me" or "keep me logged in" check boxes. I force users to log in each visit, as well as enfore a strict single sign in policy. if they log in from another browser / location then it logs out the first session.
User avatar
Eran
DevNet Master
Posts: 3549
Joined: Fri Jan 18, 2008 12:36 am
Location: Israel, ME

Re: Sessions.... Just how secure are they?

Post by Eran »

It doesn't matter what is the expiration time or where the session are stored - in the database or in the filesystem. For the browser to retain state between page loads, it needs to transmit the session ID - either via a cookie or through GET/POST params.
Post Reply