Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.
Just a random, very open question this one. I wrote a login system which I believe to be very secure, however I put a lot of faith in PHP sessions without really know, just how secure are they?
For instance, lets say a user has passed all validation, and a session is created with information registered. Is the registered information in that session safe? Is it possible to trick the server into creating sessions etc?
It depends on how you pass along the values, in a cookie, in a url. Those values could be taken from the url (or cookie) and used (session fixation & session hijacking). Also if im not mistaken, if you share your webserver with others, those session values could be accessable to them.
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
If your are using file based sessions, then it would be in your best interest to change the session.save_path directive to a directory within your account root (and outside the www root).
social_experiment wrote:It depends on how you pass along the values, in a cookie, in a url. Those values could be taken from the url (or cookie) and used (session fixation & session hijacking). Also if im not mistaken, if you share your webserver with others, those session values could be accessable to them.
I have already considered those elements, I do not use cookies (Hate them!), I never pass the sessionID in any form data, you don't really need to. so that data is not available from URL's, and dedicated server is always the way forward because I dont like to share
flying_circus wrote:If your are using file based sessions, then it would be in your best interest to change the session.save_path directive to a directory within your account root (and outside the www root).
Noodleyman wrote:I do not use cookies (Hate them!)
Why? Cookies are used to save information between page requests. If you don't use cookies, the only way to do this is to add the data to the page requests via GET and POST data. Since most page requests are GET requests (i.e. clicking an anchor), you'd have to send data through GET data via the query string. This not only forces the data to be output (multiple times, likely) in the server response, but also lengthens your URLs.
Noodleyman wrote:I do not use cookies (Hate them!), I never pass the sessionID in any form data, you don't really need to. so that data is not available from URL's
How are you keeping track of user sessions? As far as I know, the only ways to track a user session is to maintain the id in a cookie, url querystring, or make it really hard and use post vars. If you're not using any of those methods, how are you tracking the session?
Noodleyman wrote:I do not use cookies (Hate them!), I never pass the sessionID in any form data, you don't really need to. so that data is not available from URL's
How are you keeping track of user sessions? As far as I know, the only ways to track a user session is to maintain the id in a cookie, url querystring, or make it really hard and use post vars. If you're not using any of those methods, how are you tracking the session?
Yes, and cookie based sessions are the default.
mysql_function(): WARNING: This extension is deprecated as of PHP 5.5.0, and will be removed in the future. Instead, the MySQLi or PDO_MySQLextension should be used. See also MySQL: choosing an API guide and related FAQ for more information.
Noodleyman wrote:I do not use cookies (Hate them!), I never pass the sessionID in any form data, you don't really need to. so that data is not available from URL's
How are you keeping track of user sessions? As far as I know, the only ways to track a user session is to maintain the id in a cookie, url querystring, or make it really hard and use post vars. If you're not using any of those methods, how are you tracking the session?
Stored in MySQL DB.
I do not allow users to remain logged in for any longer than my session expiration time.
I also do not allow users to use things such as "remember me" or "keep me logged in" check boxes. I force users to log in each visit, as well as enfore a strict single sign in policy. if they log in from another browser / location then it logs out the first session.
It doesn't matter what is the expiration time or where the session are stored - in the database or in the filesystem. For the browser to retain state between page loads, it needs to transmit the session ID - either via a cookie or through GET/POST params.