Page 1 of 1

Sessions.... Just how secure are they?

Posted: Mon Jul 04, 2011 11:02 am
by Noodleyman
Just a random, very open question this one. I wrote a login system which I believe to be very secure, however I put a lot of faith in PHP sessions without really know, just how secure are they?

For instance, lets say a user has passed all validation, and a session is created with information registered. Is the registered information in that session safe? Is it possible to trick the server into creating sessions etc?

Just random end of day questions :)

Re: Sessions.... Just how secure are they?

Posted: Mon Jul 04, 2011 11:41 am
by social_experiment
It depends on how you pass along the values, in a cookie, in a url. Those values could be taken from the url (or cookie) and used (session fixation & session hijacking). Also if im not mistaken, if you share your webserver with others, those session values could be accessable to them.

Re: Sessions.... Just how secure are they?

Posted: Mon Jul 04, 2011 3:52 pm
by flying_circus
If your are using file based sessions, then it would be in your best interest to change the session.save_path directive to a directory within your account root (and outside the www root).

Re: Sessions.... Just how secure are they?

Posted: Tue Jul 05, 2011 3:39 am
by Noodleyman
social_experiment wrote:It depends on how you pass along the values, in a cookie, in a url. Those values could be taken from the url (or cookie) and used (session fixation & session hijacking). Also if im not mistaken, if you share your webserver with others, those session values could be accessable to them.
I have already considered those elements, I do not use cookies (Hate them!), I never pass the sessionID in any form data, you don't really need to. so that data is not available from URL's, and dedicated server is always the way forward because I dont like to share ;)

yay :D

Re: Sessions.... Just how secure are they?

Posted: Tue Jul 05, 2011 3:39 am
by Noodleyman
flying_circus wrote:If your are using file based sessions, then it would be in your best interest to change the session.save_path directive to a directory within your account root (and outside the www root).
good advice, I will double check this.

Re: Sessions.... Just how secure are they?

Posted: Tue Jul 05, 2011 7:10 am
by superdezign
Noodleyman wrote:I do not use cookies (Hate them!)
Why? Cookies are used to save information between page requests. If you don't use cookies, the only way to do this is to add the data to the page requests via GET and POST data. Since most page requests are GET requests (i.e. clicking an anchor), you'd have to send data through GET data via the query string. This not only forces the data to be output (multiple times, likely) in the server response, but also lengthens your URLs.

Re: Sessions.... Just how secure are they?

Posted: Tue Jul 05, 2011 11:34 am
by social_experiment
Noodleyman wrote:I do not use cookies
Neither do i (and not because i hate them) but set a session and using your browser, check if any cookies have been set.

Re: Sessions.... Just how secure are they?

Posted: Tue Jul 05, 2011 2:06 pm
by flying_circus
Noodleyman wrote:I do not use cookies (Hate them!), I never pass the sessionID in any form data, you don't really need to. so that data is not available from URL's
How are you keeping track of user sessions? As far as I know, the only ways to track a user session is to maintain the id in a cookie, url querystring, or make it really hard and use post vars. If you're not using any of those methods, how are you tracking the session?

Re: Sessions.... Just how secure are they?

Posted: Tue Jul 05, 2011 2:40 pm
by AbraCadaver
flying_circus wrote:
Noodleyman wrote:I do not use cookies (Hate them!), I never pass the sessionID in any form data, you don't really need to. so that data is not available from URL's
How are you keeping track of user sessions? As far as I know, the only ways to track a user session is to maintain the id in a cookie, url querystring, or make it really hard and use post vars. If you're not using any of those methods, how are you tracking the session?
Yes, and cookie based sessions are the default.

Re: Sessions.... Just how secure are they?

Posted: Wed Jul 06, 2011 5:18 am
by Noodleyman
flying_circus wrote:
Noodleyman wrote:I do not use cookies (Hate them!), I never pass the sessionID in any form data, you don't really need to. so that data is not available from URL's
How are you keeping track of user sessions? As far as I know, the only ways to track a user session is to maintain the id in a cookie, url querystring, or make it really hard and use post vars. If you're not using any of those methods, how are you tracking the session?
Stored in MySQL DB.

I do not allow users to remain logged in for any longer than my session expiration time.

I also do not allow users to use things such as "remember me" or "keep me logged in" check boxes. I force users to log in each visit, as well as enfore a strict single sign in policy. if they log in from another browser / location then it logs out the first session.

Re: Sessions.... Just how secure are they?

Posted: Wed Jul 06, 2011 7:28 am
by Eran
It doesn't matter what is the expiration time or where the session are stored - in the database or in the filesystem. For the browser to retain state between page loads, it needs to transmit the session ID - either via a cookie or through GET/POST params.