Page 1 of 1

several step process. security concernes.

Posted: Tue Oct 24, 2006 7:05 am
by jmut
Hi,
I am making an app like an ordering process.
The thing is ...it has several steps in it.
The problem is I cannot use just sessions...because I want no data to be lost.

So on each step I pretty much save data to a database... (using SID as PK) and if all is ok..I redirect client to another step with appropriate SID in _GET['sid'].

there I take all the data from the database (based on get[sid])....if this sid really has reached this step....I continue...else redirect to step he should be on.


Do you think this is somehow security problem...One thing I see is...if someone hits...a correct sid..he will be introduced into someone's else order. What are the chances ....I know this is security through obscurity but :(
So there comes two scenarious:

- user is able to continue his order some other time - set a cookie with sid...when he/she return cookie is red and sid is used to continue. (problem with someone hitting random sid)

- we don't want user to continue where from he was..but start over - on first step store session flag.... if on next steps this flag is not set...redirect user to step 1.

How could I solve each these scenarious.
I kind of don't like all this but now sure yet... Any comments will are more than welcome.

Posted: Tue Oct 31, 2006 9:16 pm
by DaveTheAve
Well, you could lock the SID to the IP address or to the x.x.x IP range if you don't like the exact x.x.x.x IP lock. However, you mentioned the SID because sent via the URL. While this is OK if you wish it to be, make sure you make the SID "Database safe". You don't want people to hack your database do you?

Posted: Tue Oct 31, 2006 9:21 pm
by feyd
beware that IP based responses are highly unreliable. Users can legitimately jump IPs throughout a request or session. Many users can be using the same IP.

Posted: Wed Nov 01, 2006 1:26 am
by jmut
DaveTheAve wrote:Well, you could lock the SID to the IP address or to the x.x.x IP range if you don't like the exact x.x.x.x IP lock. However, you mentioned the SID because sent via the URL. While this is OK if you wish it to be, make sure you make the SID "Database safe". You don't want people to hack your database do you?
as feyd mentioned... I am not a big fan of IP lock or anything that concerns IP reliability.
what do you mean by
make the SID "Database safe"

Posted: Wed Nov 01, 2006 7:33 am
by DaveTheAve
I don't think I correctly got forward that which I meant to say. What I had meant was, lock the session to the IP, not the IP to the session. This way the session can only have one IP, while the IP can have more then one session. While this will not help people sniffing the network and hijacking people sessions within the same IP, it does add some more protection.

The other topic I understand you are confused on is making the SID database friendly. This could be done by using mysql_real_escape_string.

I normally use a spin-off of a function found on that page:

Code: Select all

<?php
// Quote variable to make safe
function quote_smart($value)
{
   // Stripslashes
   if (get_magic_quotes_gpc()) {
       $value = stripslashes($value);
   }
   // Quote if not a number or a numeric string
   if (!is_numeric($value)) {
       $value = "'" . mysql_real_escape_string($value) . "'";
   }
   return $value;
}

?>
To use this, provided your not using register_globals and the SID variable is indeed $_GET['SID']:

Code: Select all

<?php
$_GET['SID'] = quote_smart($_GET['SID']);
?>

Posted: Wed Nov 01, 2006 9:08 am
by jmut
DaveTheAve wrote:...While this will not help people sniffing the network and hijacking people sessions within the same IP, it does add some more protection...
well the whole process is using https...so don't think sniffing will be real problem.
DaveTheAve wrote: ...The other topic I understand you are confused on is making the SID database friendly...
no sure how you got that..thanks anyway.

I guess. it all will be ok :)
time will tell :lol: