A simple(?) question about $_SESSION [SOLVED]: Thanks. :)

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
Chalks
Forum Contributor
Posts: 447
Joined: Thu Jul 12, 2007 7:55 am
Location: Indiana

A simple(?) question about $_SESSION [SOLVED]: Thanks. :)

Post by Chalks »

In the forum I'm building, I'm thinking about storing the user id in a SESSION variable, so that I don't have to do a query every time my user makes a post. However, I don't know how secure sessions are. Would it be possible for someone to edit their session data so that they appear to be someone else?

For example:
User John logs in - $_SESSION['idnum'] = 123
User Craig has idnum 994
John modifies his SESSION['idnum'] to show 994
John posts a thread, and OH NO, it looks like Craig just insulted user Jimmy! :(

Possible?


p.s. If someone wants to explain to me how sessions work, I'd be grateful. I've been treating them as if they're perfectly secure, and I'm pretty sure they're not.
Last edited by Chalks on Sun Jan 20, 2008 6:51 pm, edited 1 time in total.
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Re: A simple(?) question about $_SESSION

Post by Christopher »

Sessions work by identifying a unique user (using various means), creating a unique ID to identify that user. The PHP sessiony library will then loading the $_SESSION superglobal arra with any data currently in the session when session_start() is called. Data is written back to the data store when the script ends or session_write_close() is called. The data store is the filesystem by default -- each user's data is stored in a separate file that uses the unique ID in its name. You can also use databases, etc. to store the session data and there are session_*() functions to configure that, and plenty of implementations around to use.

It is possible for someone to reuse another user's unique session ID and thereby access their data. It is usually referred to as session fixation. The usual way to reduce this problem is to regenerate the session id regularly.
(#10850)
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: A simple(?) question about $_SESSION

Post by VladSun »

arborint wrote:It is possible for someone to reuse another user's unique session ID and thereby access their data. It is usually referred to as session fixation. The usual way to reduce this problem is to regenerate the session id regularly.
I must notice that it's not a session fixation, but rather session hijacking. It would be a session fixation if I send you a link like "http://domain.com?sid=123", you open it, it insist that you log in (while keeping the session id=123), and then I use it with session id = 123 with your credentials.

Session hijacking is a simple stealing of your session id after you've created a session.
There are 10 types of people in this world, those who understand binary and those who don't
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: A simple(?) question about $_SESSION

Post by VladSun »

Chalks wrote:p.s. If someone wants to explain to me how sessions work, I'd be grateful. I've been treating them as if they're perfectly secure, and I'm pretty sure they're not.
Sessions are server-side piece of information identified by its Session ID. When a user requests a page that uses sessions, it's checked against session existence in two ways - by looking for a GET/POST or a COOKIE variable containing the session ID (i.e. client side data). If this ID exists then all of this server side information is assigned to $_SESSION. If the ID doesn't exist then no $_SESSION data is assigned to this user.

The security model of sessions insists that you (i.e. the PHP engine) use long enough and random ID, so it's hard to predict or bruteforce.
There are 10 types of people in this world, those who understand binary and those who don't
User avatar
Chalks
Forum Contributor
Posts: 447
Joined: Thu Jul 12, 2007 7:55 am
Location: Indiana

Re: A simple(?) question about $_SESSION

Post by Chalks »

That's all great to hear, thanks for the information (as usual, you guys are awesome)!

So, from what you all seem to be saying, it's ok to store light-medium sensitive (e.g. current user id) information in a session as long as I'm regenerating SIDs?
arborint wrote:...The usual way to reduce this problem is to regenerate the session id regularly
How regularly? Every five minutes? Every time they visit the index page?
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: A simple(?) question about $_SESSION

Post by VladSun »

Chalks wrote:So, from what you all seem to be saying, it's ok to store light-medium sensitive (e.g. current user id) information in a session as long as I'm regenerating SIDs?
Yes - it minimizes the "time window" for stealing the session id.
Chalks wrote:
arborint wrote:...The usual way to reduce this problem is to regenerate the session id regularly
How regularly? Every five minutes? Every time they visit the index page?
Every time they visit a page.
There are 10 types of people in this world, those who understand binary and those who don't
User avatar
Chalks
Forum Contributor
Posts: 447
Joined: Thu Jul 12, 2007 7:55 am
Location: Indiana

Re: A simple(?) question about $_SESSION

Post by Chalks »

VladSun wrote:Every time they visit a page.
So... put the code to change SID in my common header? Doesn't that create a strain on the server, or is it so minimal as to be unnoticable?
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: A simple(?) question about $_SESSION

Post by VladSun »

It has a minimal strain on the server :)
There are 10 types of people in this world, those who understand binary and those who don't
Post Reply