Session idea: is it safe?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
klarinetking
Forum Commoner
Posts: 59
Joined: Mon Jul 24, 2006 9:43 am

Session idea: is it safe?

Post by klarinetking »

Hi everyone,

I'd like to explain my idea for basic session handling to you guys. I've thought about it, and I can't see any problem with it, but I'd like other's opinions as well, please. Ok, here goes.

So basically, there's two base cases that can happen.

User visits any page, session class is initialized, etc.

Case 1 - User not logged in; no cookie or session info in DB

If the user is not logged in, has no cookie, and/or there is no session info in the DB for this user, any specified activities, protected like so:

Code: Select all

if ( $session->loggedOn() == FALSE ) { ... }
the user cannot access them. If the user logs in, the session class will attempt to set a cookie containing a random session_id, which is stored in the database. If a cookie is unavailable, the session_id is still stored in the DB, and the SID is appended to the URL. $session->loggedOn() is set to true, and the user can access previously restricted areas.

Case 2 - User is logged in

If the user is logged in, the session class first looks for the cookie. If it's found, and the info (session_id, session_key) is valid, $session->loggedOn() remains at true, and the last_visited time in the DB is updated.



In the constructor is a removeInactive(), which removes sessions that are inactive after a certain amount of time. There is also updateSession(), which does the checking for a session. On logout, all info is scrubbed, and removeInactive() is also called, closing the session.

Reasoning

I guess I should explain some of my reasoning to see if there's a flaw in it somewhere.

1. The session_id is just acting as a unique identifier. It's just a md5'd random string that associates a certain user with a certain session.

I'd appreciate any and all comments regarding my system. I don't have any code yet as it's just an idea, but I'm working on it.

Thanks for your time.

klarinetking
klarinetking
Forum Commoner
Posts: 59
Joined: Mon Jul 24, 2006 9:43 am

Post by klarinetking »

Well, in case it helps, here's most of my code

Code: Select all

class session
{
  	/**
  	 * @access	private
  	 * @var		bool 
  	 */
  
  	private $loggedOn;
  	
  	/**
  	 * @access	public
  	 * @var		string
  	 */
  	
  	public $sid;
  
  	/**
  	 * The constructor.
  	 *
  	 * Sets up access to the settings object and removes inactive sessions.
  	 *
  	 * @access	public
  	 * @param	object $registry
  	 */
  	
  	public function __construct($registry)
  	{
  	  	$this->settings = $registry->get('settings');
  	  
		$this->removeInactive();
		$this->updateSession();
	}
  
  	/**
  	 * updateSession
  	 *
  	 * Checks for existance of a session
  	 *
  	 * @access	private
  	 */
  	
  	private function updateSession()
  	{
		if ( isset($_GET['sid']) && !empty($_GET['sid']) )
		{
			// User might be logged on here.  Get session info from the DB and
			// check
		}
		else
		{
		  	// User is not logged on.
		  	
			$this->loggedOn(FALSE);
		}
	
	}
  
  	/**
  	 * createSession
  	 *
  	 * Creates a new session.
  	 *
  	 * @access	private
  	 */
  	
  	private function createSession()
	{
	  	$this->sid = md5(mt_rand());
	  	
		$this->loggedOn(TRUE);
		
		// @todo: add session info into the db
	}
	
	/**
  	 * destroySession
  	 *
  	 * Destroys a previously created session a new session.
  	 *
  	 * @access	private
  	 */
		
	private function destroySession()
	{  	
		$this->loggedOn(FALSE);
		// @todo: remove the session info from the db
	}
		
  	/**
  	 * removeInactive
  	 *
  	 * Removes sessions that have been inactive longer than the max-len-inactive
  	 * setting.
  	 *
  	 * @access	private
  	 */
  
  	private function removeInactive()
  	{
		// TODO: Remove sessions that have been inactive for longer than the max-
		// inactive setting.
	}
	
	/**
  	 * loggedOn
  	 *
  	 * Updates the loggedOn variable depending on the user's status
  	 *
  	 * @access	private
  	 * @param	string $value
  	 */
	
	private function loggedOn($value = FALSE)
	{
		$this->loggedOn = $value;
	}
  
}
?>
Ward
Forum Commoner
Posts: 74
Joined: Thu Jul 13, 2006 10:01 am

Post by Ward »

Maybe i'm misunderstanding, but why not use the built-in session handling? That way you don't have to worry about checking for the cookie, setting it, and seeing if the browser will even accept cookies.

Also, instead of generating a random session ID, why not make an MD5 hash of something unique to each user, like IP address and userID? For example, md5($_SERVER["REMOTE_ADDR"].$userID). This way you couldn't steal someones login cookie and use it on another machine.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

the problem with using their IP and the userid is it likely won't fluctuate often for many people and it would create a horrible user experience for those users whos IP changes often.
klarinetking
Forum Commoner
Posts: 59
Joined: Mon Jul 24, 2006 9:43 am

Post by klarinetking »

Hi,

Thanks for your replies.

First, I don't really want to use the built in session functions because I've had a lot of problems with them, and if I store info in a DB, than the whole system doesn't reply on the OS any more than necessary.

Second, like Feyd said, is that the session_id is supposed to be unique for each user, and it is supposed to change every time a new session is created. It's not meant to be held through multiple sessions.

Thanks again for your replies. Do you see anything that could be considered possibly unsafe?

klarinetking
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Post by Weirdan »

First, I don't really want to use the built in session functions because I've had a lot of problems with them
I bet you gonna have the same problems with your own session handling subsystem
and if I store info in a DB, than the whole system doesn't reply on the OS any more than necessary.
Did you know you could use your own session storage functions with built-in session handling code?
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

I'd really like to know what problems you've had with the built in session handling. For me, they've been incredibly easy to use. Perhaps making them distributed has been the trouble? (In that case, all you need to do is register a custom handler that uses DB sessions. I believe AdoDB has one prewritten)
klarinetking
Forum Commoner
Posts: 59
Joined: Mon Jul 24, 2006 9:43 am

Post by klarinetking »

Hi,

My main problem has been trying to get the sessions to work all the time, on any platform. For some reason or another, things break, or need tweaking. I'm trying to find some way to remove the necessity for all that. I'll take a look at the custom handlers; I've never heard of them before.

Thanks,

klarinetking
AGISB
Forum Contributor
Posts: 422
Joined: Fri Jul 09, 2004 1:23 am

Post by AGISB »

The main reason to use a db driven session system is speed. if you have to deal with many different sessions at once the performance increase is imense.
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

Hmm... I was under the impression that DB-based sessions where slower then their file-based counterparts...
Post Reply