session checking and session_regenerate_id()

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

session checking and session_regenerate_id()

Post by s.dot »

By storing a users session in the database and then checking the session_id() against that stored session value on every pageload to ensure that they match, am I actually decreasing my users security?

Should I be regenerating session ids on every page load, instead of ensuring they only have one session id throughout their entire session?
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Fixation becomes a larger issue if you allow the session ID to be maintained throughout the session. Regenerating the ID on each page feels like overkill however.
User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

Post by s.dot »

What about something like...

Code: Select all

if(mt_rand(1,20) == 10)
{
    session_regenerate_id();
}
?

And, storing and checking against the session id is pretty much useless?
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

scottayy wrote:What about something like...

Code: Select all

if(mt_rand(1,20) == 10)
{
    session_regenerate_id();
}
?
Probably okay.
scottayy wrote:And, storing and checking against the session id is pretty much useless?
Storing the old and new session IDs to ensure one belongs to the other? It has it's uses.
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: session checking and session_regenerate_id()

Post by Mordred »

scottayy wrote:By storing a users session in the database and then checking the session_id() against that stored session value on every pageload to ensure that they match, am I actually decreasing my users security?

Should I be regenerating session ids on every page load, instead of ensuring they only have one session id throughout their entire session?
You mean session id instead of session perhapse?
If you keep session data in files, you are really decreasing security if you keep SIDs in the database - now there is an additional way to get the SIDs (sql injection). Meanwhile, how would you check " that they match" - the SID is the key which is used to retrieve the session data, if the key is different, the data would also be. Maybe you mean checking the IP of the user, which is easily done by storing his IP in the session data and checking it on each access (but there is the caveat of AOL changing IPs for each request)

The session id should be regenerated when the user gets logged in to prevent session fixation. From that moment on, if the attacker has other means of acquiring a user's SID, changing it on each (or one in 20) requests will not help. It doesn't hurt much doing so though, so my paranoia voice does not disprove of the idea, it may help mitigate some strange vulnerability (what if a hacker can get the SID through a hole that can be used only once in 5 minutes?)
User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

Post by s.dot »

Yes, I definately meant session ids. My bad.

I check that they match by seeing if session_id() == $db['storedsessionid'].

I can store a pageload count in the session and change the session id once it reaches 10. So every 10 page loads = new session id. Then I'll take off the part where it checks the database to see if it matches.

By the way, I have session.use_only_cookies set to true, so session ids cannot be passed via get. Does this matter?
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Post by Mordred »

scottayy wrote:I check that they match by seeing if session_id() == $db['storedsessionid'].
How do you get the $db record?
scottayy wrote:I can store a pageload count in the session and change the session id once it reaches 10. So every 10 page loads = new session id. Then I'll take off the part where it checks the database to see if it matches.
Yeah, whatever, choose the simplest solution and stick to it, as I said this is only paranoia precaution. The important step is to regenerate the id when the user logs.
scottayy wrote:By the way, I have session.use_only_cookies set to true, so session ids cannot be passed via get. Does this matter?
Yep, it helps a bit, but you must still make sure you've done the really important steps.
User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

Post by s.dot »

Mordred wrote:
scottayy wrote:I check that they match by seeing if session_id() == $db['storedsessionid'].
How do you get the $db record?
SELECT `sessionid` FROM `users` WHERE `userid` = '$_SESSION['userid']
//thinking about it, this logic may be backwards eh?

So, let me get things straight.. cuz I'm a bit dumb. =]

1. regenerate session id when they log in
2. no need to store session ids and check against it
3. regenerate session id every x page loads, for added "paranoia" security.

does that sound good?
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Post by Mordred »

Aye, that's good.
SELECT `sessionid` FROM `users` WHERE `userid` = '$_SESSION['userid']
//thinking about it, this logic may be backwards eh?
Exactly! In order to have $_SESSION['userid'] you already need the correct SID.
It's like keeping a copy of your primary key in another column, and checking if the copy matches the id.
User avatar
Oren
DevNet Resident
Posts: 1640
Joined: Fri Apr 07, 2006 5:13 am
Location: Israel

Post by Oren »

Mordred wrote:It's like keeping a copy of your primary key in another column, and checking if the copy matches the id.
lol, exactly :P
User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

Post by s.dot »

hypothetical situation here,

say someone is browsing, then somehow they're browsing the site in another window (this happens a lot). then in the new window they get a new session id.. what happens when they switch back to the old window?

since a new session cookie has been generated, i'd imagine that they would switch over to the new session id, correct?
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Provided the windows are sharing the same session, yes.
Post Reply