to use session cookies or not to use session cookies

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
tecktalkcm0391
DevNet Resident
Posts: 1030
Joined: Fri May 26, 2006 9:25 am
Location: Florida

to use session cookies or not to use session cookies

Post by tecktalkcm0391 »

I was wondering what was more secure using session cookies or not using session cookies... whats the pros and cons?

Thanks!
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Post by Benjamin »

Well neither. Session data is stored on the server. Passing the session id around can be the security issue because this can allow others to hijack the session, which can happen with or without without cookies.
User avatar
tecktalkcm0391
DevNet Resident
Posts: 1030
Joined: Fri May 26, 2006 9:25 am
Location: Florida

Post by tecktalkcm0391 »

so checking the users login IP address versus the one being used would help, but can't that be hijacked too?
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Post by Benjamin »

That's another issue, you can't check the IP because a lot of times it can change per page request. This usually happens with AOL users because they route http requests through clusters of proxy servers.
User avatar
tecktalkcm0391
DevNet Resident
Posts: 1030
Joined: Fri May 26, 2006 9:25 am
Location: Florida

Post by tecktalkcm0391 »

astions wrote:That's another issue, you can't check the IP because a lot of times it can change per page request. This usually happens with AOL users because they route http requests through clusters of proxy servers.
Thats what I thought. Any suggestions on how to prevent stealing a session from computer to computer?
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Post by Benjamin »

You can somewhat mitigate the risk of sessions being hijacked by changing the session id often, maybe even per page request.
User avatar
tecktalkcm0391
DevNet Resident
Posts: 1030
Joined: Fri May 26, 2006 9:25 am
Location: Florida

Post by tecktalkcm0391 »

astions wrote:You can somewhat mitigate the risk of sessions being hijacked by changing the session id often, maybe even per page request.
good idea. i think thats what myspace does with MyToken
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Post by Benjamin »

Without looking into it, that could be a randomly generated string to prevent pages from being cached.
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Post by superdezign »

tecktalkcm0391 wrote:
astions wrote:You can somewhat mitigate the risk of sessions being hijacked by changing the session id often, maybe even per page request.
good idea. i think thats what myspace does with MyToken
Hehe, I've stolen a "MyToken" before and was automatically logged into their account after loading it into my cookies. It didn't work the last time I did it though, and a good thing, too. If any website on the entire internet should put more effort into security, it's MySpace.
User avatar
tecktalkcm0391
DevNet Resident
Posts: 1030
Joined: Fri May 26, 2006 9:25 am
Location: Florida

Post by tecktalkcm0391 »

superdezign wrote:If any website on the entire internet should put more effort into security, it's MySpace.
Yeah they need to be... expecially because I can login using just the letters in my password in any case...
password - works
pAssword - works
PASSWORD -- works... ect.
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Post by superdezign »

tecktalkcm0391 wrote:
superdezign wrote:If any website on the entire internet should put more effort into security, it's MySpace.
Yeah they need to be... expecially because I can login using just the letters in my password in any case...
password - works
pAssword - works
PASSWORD -- works... ect.
Case-insensitive passwords? That's.... that's dumb.
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Post by Benjamin »

Hmm, that probably means they are either not encrypting them, or they are converting them to lower case or upper case before encrypting them.
User avatar
tecktalkcm0391
DevNet Resident
Posts: 1030
Joined: Fri May 26, 2006 9:25 am
Location: Florida

Post by tecktalkcm0391 »

astions wrote:Hmm, that probably means they are either not encrypting them, or they are converting them to lower case or upper case before encrypting them.
Yeah, but myspace passwords should be encrypted, and isn't it easier to guess passwords that are all lowercase then something like: PasSWOrD07
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Post by Benjamin »

I would hate to see their code base.
User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

Post by s.dot »

To go further off topic ;)

I changed my password with them. Now BOTH passwords works.
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
Post Reply