session checking and session_regenerate_id()
Moderator: General Moderators
session checking and session_regenerate_id()
By storing a users session in the database and then checking the session_id() against that stored session value on every pageload to ensure that they match, am I actually decreasing my users security?
Should I be regenerating session ids on every page load, instead of ensuring they only have one session id throughout their entire session?
Should I be regenerating session ids on every page load, instead of ensuring they only have one session id throughout their entire session?
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
What about something like...
?
And, storing and checking against the session id is pretty much useless?
Code: Select all
if(mt_rand(1,20) == 10)
{
session_regenerate_id();
}And, storing and checking against the session id is pretty much useless?
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
- feyd
- Neighborhood Spidermoddy
- Posts: 31559
- Joined: Mon Mar 29, 2004 3:24 pm
- Location: Bothell, Washington, USA
Probably okay.scottayy wrote:What about something like...
?Code: Select all
if(mt_rand(1,20) == 10) { session_regenerate_id(); }
Storing the old and new session IDs to ensure one belongs to the other? It has it's uses.scottayy wrote:And, storing and checking against the session id is pretty much useless?
Re: session checking and session_regenerate_id()
You mean session id instead of session perhapse?scottayy wrote:By storing a users session in the database and then checking the session_id() against that stored session value on every pageload to ensure that they match, am I actually decreasing my users security?
Should I be regenerating session ids on every page load, instead of ensuring they only have one session id throughout their entire session?
If you keep session data in files, you are really decreasing security if you keep SIDs in the database - now there is an additional way to get the SIDs (sql injection). Meanwhile, how would you check " that they match" - the SID is the key which is used to retrieve the session data, if the key is different, the data would also be. Maybe you mean checking the IP of the user, which is easily done by storing his IP in the session data and checking it on each access (but there is the caveat of AOL changing IPs for each request)
The session id should be regenerated when the user gets logged in to prevent session fixation. From that moment on, if the attacker has other means of acquiring a user's SID, changing it on each (or one in 20) requests will not help. It doesn't hurt much doing so though, so my paranoia voice does not disprove of the idea, it may help mitigate some strange vulnerability (what if a hacker can get the SID through a hole that can be used only once in 5 minutes?)
Yes, I definately meant session ids. My bad.
I check that they match by seeing if session_id() == $db['storedsessionid'].
I can store a pageload count in the session and change the session id once it reaches 10. So every 10 page loads = new session id. Then I'll take off the part where it checks the database to see if it matches.
By the way, I have session.use_only_cookies set to true, so session ids cannot be passed via get. Does this matter?
I check that they match by seeing if session_id() == $db['storedsessionid'].
I can store a pageload count in the session and change the session id once it reaches 10. So every 10 page loads = new session id. Then I'll take off the part where it checks the database to see if it matches.
By the way, I have session.use_only_cookies set to true, so session ids cannot be passed via get. Does this matter?
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
How do you get the $db record?scottayy wrote:I check that they match by seeing if session_id() == $db['storedsessionid'].
Yeah, whatever, choose the simplest solution and stick to it, as I said this is only paranoia precaution. The important step is to regenerate the id when the user logs.scottayy wrote:I can store a pageload count in the session and change the session id once it reaches 10. So every 10 page loads = new session id. Then I'll take off the part where it checks the database to see if it matches.
Yep, it helps a bit, but you must still make sure you've done the really important steps.scottayy wrote:By the way, I have session.use_only_cookies set to true, so session ids cannot be passed via get. Does this matter?
SELECT `sessionid` FROM `users` WHERE `userid` = '$_SESSION['userid']Mordred wrote:How do you get the $db record?scottayy wrote:I check that they match by seeing if session_id() == $db['storedsessionid'].
//thinking about it, this logic may be backwards eh?
So, let me get things straight.. cuz I'm a bit dumb. =]
1. regenerate session id when they log in
2. no need to store session ids and check against it
3. regenerate session id every x page loads, for added "paranoia" security.
does that sound good?
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
Aye, that's good.
It's like keeping a copy of your primary key in another column, and checking if the copy matches the id.
Exactly! In order to have $_SESSION['userid'] you already need the correct SID.SELECT `sessionid` FROM `users` WHERE `userid` = '$_SESSION['userid']
//thinking about it, this logic may be backwards eh?
It's like keeping a copy of your primary key in another column, and checking if the copy matches the id.
hypothetical situation here,
say someone is browsing, then somehow they're browsing the site in another window (this happens a lot). then in the new window they get a new session id.. what happens when they switch back to the old window?
since a new session cookie has been generated, i'd imagine that they would switch over to the new session id, correct?
say someone is browsing, then somehow they're browsing the site in another window (this happens a lot). then in the new window they get a new session id.. what happens when they switch back to the old window?
since a new session cookie has been generated, i'd imagine that they would switch over to the new session id, correct?
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.