Page 1 of 1
session checking and session_regenerate_id()
Posted: Mon Apr 02, 2007 9:33 am
by s.dot
By storing a users session in the database and then checking the session_id() against that stored session value on every pageload to ensure that they match, am I actually decreasing my users security?
Should I be regenerating session ids on every page load, instead of ensuring they only have one session id throughout their entire session?
Posted: Mon Apr 02, 2007 9:47 am
by feyd
Fixation becomes a larger issue if you allow the session ID to be maintained throughout the session. Regenerating the ID on each page feels like overkill however.
Posted: Mon Apr 02, 2007 9:53 am
by s.dot
What about something like...
Code: Select all
if(mt_rand(1,20) == 10)
{
session_regenerate_id();
}
?
And, storing and checking against the session id is pretty much useless?
Posted: Mon Apr 02, 2007 10:06 am
by feyd
scottayy wrote:What about something like...
Code: Select all
if(mt_rand(1,20) == 10)
{
session_regenerate_id();
}
?
Probably okay.
scottayy wrote:And, storing and checking against the session id is pretty much useless?
Storing the old and new session IDs to ensure one belongs to the other? It has it's uses.
Re: session checking and session_regenerate_id()
Posted: Mon Apr 02, 2007 10:48 am
by Mordred
scottayy wrote:By storing a users session in the database and then checking the session_id() against that stored session value on every pageload to ensure that they match, am I actually decreasing my users security?
Should I be regenerating session ids on every page load, instead of ensuring they only have one session id throughout their entire session?
You mean
session id instead of
session perhapse?
If you keep session data in files, you are really decreasing security if you keep SIDs in the database - now there is an additional way to get the SIDs (sql injection). Meanwhile, how would you check
" that they match" - the SID is
the key which is used to retrieve the session data, if the key is different, the data would also be. Maybe you mean checking the IP of the user, which is easily done by storing his IP in the session data and checking it on each access (but there is the caveat of AOL changing IPs for each request)
The session id should be regenerated when the user gets logged in to prevent session fixation. From that moment on, if the attacker has other means of acquiring a user's SID, changing it on each (or one in 20) requests will not help. It doesn't hurt much doing so though, so my paranoia voice does not disprove of the idea, it may help mitigate some strange vulnerability (what if a hacker can get the SID through a hole that can be used only once in 5 minutes?)
Posted: Mon Apr 02, 2007 3:46 pm
by s.dot
Yes, I definately meant session ids. My bad.
I check that they match by seeing if session_id() == $db['storedsessionid'].
I can store a pageload count in the session and change the session id once it reaches 10. So every 10 page loads = new session id. Then I'll take off the part where it checks the database to see if it matches.
By the way, I have session.use_only_cookies set to true, so session ids cannot be passed via get. Does this matter?
Posted: Tue Apr 03, 2007 3:20 am
by Mordred
scottayy wrote:I check that they match by seeing if session_id() == $db['storedsessionid'].
How do you get the $db record?
scottayy wrote:I can store a pageload count in the session and change the session id once it reaches 10. So every 10 page loads = new session id. Then I'll take off the part where it checks the database to see if it matches.
Yeah, whatever, choose the simplest solution and stick to it, as I said this is only paranoia precaution. The important step is to regenerate the id when the user logs.
scottayy wrote:By the way, I have session.use_only_cookies set to true, so session ids cannot be passed via get. Does this matter?
Yep, it helps a bit, but you must still make sure you've done the really important steps.
Posted: Tue Apr 03, 2007 1:20 pm
by s.dot
Mordred wrote:scottayy wrote:I check that they match by seeing if session_id() == $db['storedsessionid'].
How do you get the $db record?
SELECT `sessionid` FROM `users` WHERE `userid` = '$_SESSION['userid']
//thinking about it, this logic may be backwards eh?
So, let me get things straight.. cuz I'm a bit dumb. =]
1. regenerate session id when they log in
2. no need to store session ids and check against it
3. regenerate session id every x page loads, for added "paranoia" security.
does that sound good?
Posted: Tue Apr 03, 2007 1:26 pm
by Mordred
Aye, that's good.
SELECT `sessionid` FROM `users` WHERE `userid` = '$_SESSION['userid']
//thinking about it, this logic may be backwards eh?
Exactly! In order to have $_SESSION['userid'] you already need the correct SID.
It's like keeping a copy of your primary key in another column, and checking if the copy matches the id.
Posted: Tue Apr 03, 2007 2:19 pm
by Oren
Mordred wrote:It's like keeping a copy of your primary key in another column, and checking if the copy matches the id.
lol, exactly

Posted: Tue Apr 03, 2007 2:21 pm
by s.dot
hypothetical situation here,
say someone is browsing, then somehow they're browsing the site in another window (this happens a lot). then in the new window they get a new session id.. what happens when they switch back to the old window?
since a new session cookie has been generated, i'd imagine that they would switch over to the new session id, correct?
Posted: Tue Apr 03, 2007 3:40 pm
by feyd
Provided the windows are sharing the same session, yes.