several step process. security concernes.

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
jmut
Forum Regular
Posts: 945
Joined: Tue Jul 05, 2005 3:54 am
Location: Sofia, Bulgaria
Contact:

several step process. security concernes.

Post by jmut »

Hi,
I am making an app like an ordering process.
The thing is ...it has several steps in it.
The problem is I cannot use just sessions...because I want no data to be lost.

So on each step I pretty much save data to a database... (using SID as PK) and if all is ok..I redirect client to another step with appropriate SID in _GET['sid'].

there I take all the data from the database (based on get[sid])....if this sid really has reached this step....I continue...else redirect to step he should be on.


Do you think this is somehow security problem...One thing I see is...if someone hits...a correct sid..he will be introduced into someone's else order. What are the chances ....I know this is security through obscurity but :(
So there comes two scenarious:

- user is able to continue his order some other time - set a cookie with sid...when he/she return cookie is red and sid is used to continue. (problem with someone hitting random sid)

- we don't want user to continue where from he was..but start over - on first step store session flag.... if on next steps this flag is not set...redirect user to step 1.

How could I solve each these scenarious.
I kind of don't like all this but now sure yet... Any comments will are more than welcome.
User avatar
DaveTheAve
Forum Contributor
Posts: 385
Joined: Tue Oct 03, 2006 2:25 pm
Location: 127.0.0.1
Contact:

Post by DaveTheAve »

Well, you could lock the SID to the IP address or to the x.x.x IP range if you don't like the exact x.x.x.x IP lock. However, you mentioned the SID because sent via the URL. While this is OK if you wish it to be, make sure you make the SID "Database safe". You don't want people to hack your database do you?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

beware that IP based responses are highly unreliable. Users can legitimately jump IPs throughout a request or session. Many users can be using the same IP.
jmut
Forum Regular
Posts: 945
Joined: Tue Jul 05, 2005 3:54 am
Location: Sofia, Bulgaria
Contact:

Post by jmut »

DaveTheAve wrote:Well, you could lock the SID to the IP address or to the x.x.x IP range if you don't like the exact x.x.x.x IP lock. However, you mentioned the SID because sent via the URL. While this is OK if you wish it to be, make sure you make the SID "Database safe". You don't want people to hack your database do you?
as feyd mentioned... I am not a big fan of IP lock or anything that concerns IP reliability.
what do you mean by
make the SID "Database safe"
User avatar
DaveTheAve
Forum Contributor
Posts: 385
Joined: Tue Oct 03, 2006 2:25 pm
Location: 127.0.0.1
Contact:

Post by DaveTheAve »

I don't think I correctly got forward that which I meant to say. What I had meant was, lock the session to the IP, not the IP to the session. This way the session can only have one IP, while the IP can have more then one session. While this will not help people sniffing the network and hijacking people sessions within the same IP, it does add some more protection.

The other topic I understand you are confused on is making the SID database friendly. This could be done by using mysql_real_escape_string.

I normally use a spin-off of a function found on that page:

Code: Select all

<?php
// Quote variable to make safe
function quote_smart($value)
{
   // Stripslashes
   if (get_magic_quotes_gpc()) {
       $value = stripslashes($value);
   }
   // Quote if not a number or a numeric string
   if (!is_numeric($value)) {
       $value = "'" . mysql_real_escape_string($value) . "'";
   }
   return $value;
}

?>
To use this, provided your not using register_globals and the SID variable is indeed $_GET['SID']:

Code: Select all

<?php
$_GET['SID'] = quote_smart($_GET['SID']);
?>
jmut
Forum Regular
Posts: 945
Joined: Tue Jul 05, 2005 3:54 am
Location: Sofia, Bulgaria
Contact:

Post by jmut »

DaveTheAve wrote:...While this will not help people sniffing the network and hijacking people sessions within the same IP, it does add some more protection...
well the whole process is using https...so don't think sniffing will be real problem.
DaveTheAve wrote: ...The other topic I understand you are confused on is making the SID database friendly...
no sure how you got that..thanks anyway.

I guess. it all will be ok :)
time will tell :lol:
Post Reply