Security Ideas [sessions/cookies]

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Re: Security Ideas [sessions/cookies]

Post by alex.barylski »

The alternative, as you mention, is passing the session id in the url. The risk with doing so is that it is easy to capture over the wire
That same risk applies regardless of how the SID is maintained... :?

The only disadvantage to using URL propagation is it's visible to someone peaking over your shoulder and there is also the risk someone sends a link to a web page in an email or something similiar...but there are techniques to prevent this from being an issue as well...I mean programatically too...not beating up anyone who peaks over your shoulder :P
and its also passed to other sites when you leave
Only for the unaware...there is a setting in php.ini which prevents URL propagation for external links...

Non-relative URLs are assumed to point to external sites and hence don't append the SID, as it would be a security risk to leak the SID to a different server

http://ca3.php.net/manual/en/ref.sessio ... -trans-sid
(It should be noted that despite these issues, temporary cookies are practically just as easy to capture over the wire - just not by referrer).
Ignore what I said at the start of this thread ;)

I should note...that the biggest downfall to using URL propagation is that it's not as reliable, in that, Javascript generated menus which link to your site likely won't have the SID in their URL's as the menu may possibly be created client side after URL matching has been completed by PHP session functions. Also Flash links become useless, etc...

Both cookies and URL's have their ups and downs...but really their both secure if the right techniques are used.

Cheers :)
User avatar
Maugrim_The_Reaper
DevNet Master
Posts: 2704
Joined: Tue Nov 02, 2004 5:43 am
Location: Ireland

Post by Maugrim_The_Reaper »

Bank card number? Ewww....
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Post by alex.barylski »

Maugrim_The_Reaper wrote:Bank card number? Ewww....
It's a pain in the a$$ to type...let alone remember...so it's kind of a nice fature I thought...
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

daou wrote:

Code: Select all

if ($_COOKIE['key'] == $_SESSION['key'] && $_SERVER['REMOTE_ADDR'] == $_SESSION['ip_address']) {
  give a new value for key, save it into the cookie and session variable
  load the page
}
else
  end session
So if a users IP changes (say like with a Broadband connection or with a router that resolves its own IPs) then there session is killed? Sound like it could frustrate a user...
matthijs
DevNet Master
Posts: 3360
Joined: Thu Oct 06, 2005 3:57 pm

Post by matthijs »

How does a site like amazon does it?

Amazon will remember you, so you can do some basic stuff. Like seeing what items you watched last time, see your wish list etc. But as soon as you want to do something with a higher level of risk involved, you're asked for your password.

Just looked it up: I think Ilia Alshanetsky calls this a multi-tier authentication system which uses two seperate cookies. One long duration cookie for read-only access. Logging in (again) creates a second, short-term session that allows you to do more sensitive things.

Arborint, if your idea of creating a cookie class takes place I will follow it with interest. Haven't done much with sessions yet so not sure if I could contribute a lot..
User avatar
Maugrim_The_Reaper
DevNet Master
Posts: 2704
Joined: Tue Nov 02, 2004 5:43 am
Location: Ireland

Post by Maugrim_The_Reaper »

www.rogers.com and http://www.cibc.com are 2 places which don't remember all your details requied to login, but only Username or bankcard number, etc...
Isn't a bankcard number sensitive data? Could be just me now :), in Ireland a bank card number is one basis of authentication to online bank account access. Would prefer it did not sit on a PC in a nice little text file for anyone to gawk at...;). It's probably not the same thing outside Ireland's aging banking system....
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Post by alex.barylski »

Maugrim_The_Reaper wrote:
www.rogers.com and http://www.cibc.com are 2 places which don't remember all your details requied to login, but only Username or bankcard number, etc...
Isn't a bankcard number sensitive data? Could be just me now :), in Ireland a bank card number is one basis of authentication to online bank account access. Would prefer it did not sit on a PC in a nice little text file for anyone to gawk at...;). It's probably not the same thing outside Ireland's aging banking system....
Well...it'a actually only a client card number for debit transactions as far as I know...in which case fraudulent use would be difficult as you absolutely need the car to perform any actions...it's not a credit card number...

Inorder for the number to have any use, outside of identifying you you need a 6 digit PIN (Personal identification number) and the physical car itself...

So no...it's not really a security risk I don't think :)
Post Reply