Page 1 of 1
A simple(?) question about $_SESSION [SOLVED]: Thanks. :)
Posted: Sun Jan 20, 2008 5:25 pm
by Chalks
In the forum I'm building, I'm thinking about storing the user id in a SESSION variable, so that I don't have to do a query every time my user makes a post. However, I don't know how secure sessions are. Would it be possible for someone to edit their session data so that they appear to be someone else?
For example:
User John logs in - $_SESSION['idnum'] = 123
User Craig has idnum 994
John modifies his SESSION['idnum'] to show 994
John posts a thread, and OH NO, it looks like Craig just insulted user Jimmy!
Possible?
p.s. If someone wants to explain to me how sessions work, I'd be grateful. I've been treating them as if they're perfectly secure, and I'm pretty sure they're not.
Re: A simple(?) question about $_SESSION
Posted: Sun Jan 20, 2008 5:37 pm
by Christopher
Sessions work by identifying a unique user (using various means), creating a unique ID to identify that user. The PHP sessiony library will then loading the $_SESSION superglobal arra with any data currently in the session when session_start() is called. Data is written back to the data store when the script ends or session_write_close() is called. The data store is the filesystem by default -- each user's data is stored in a separate file that uses the unique ID in its name. You can also use databases, etc. to store the session data and there are session_*() functions to configure that, and plenty of implementations around to use.
It is possible for someone to reuse another user's unique session ID and thereby access their data. It is usually referred to as
session fixation. The usual way to reduce this problem is to regenerate the session id regularly.
Re: A simple(?) question about $_SESSION
Posted: Sun Jan 20, 2008 5:48 pm
by VladSun
arborint wrote:It is possible for someone to reuse another user's unique session ID and thereby access their data. It is usually referred to as
session fixation. The usual way to reduce this problem is to regenerate the session id regularly.
I must notice that it's not a
session fixation, but rather
session hijacking. It would be a
session fixation if I send you a link like "
http://domain.com?sid=123", you open it, it insist that you log in (while keeping the session id=123), and then I use it with session id = 123 with your credentials.
Session hijacking is a
simple stealing of your session id
after you've created a session.
Re: A simple(?) question about $_SESSION
Posted: Sun Jan 20, 2008 6:06 pm
by VladSun
Chalks wrote:p.s. If someone wants to explain to me how sessions work, I'd be grateful. I've been treating them as if they're perfectly secure, and I'm pretty sure they're not.
Sessions are server-side piece of information identified by its Session ID. When a user requests a page that uses sessions, it's checked against session existence in two ways - by looking for a GET/POST or a COOKIE variable containing the session ID (i.e. client side data). If this ID exists then all of this server side information is assigned to $_SESSION. If the ID doesn't exist then no $_SESSION data is assigned to this user.
The security model of sessions insists that you (i.e. the PHP engine) use long enough and random ID, so it's hard to predict or bruteforce.
Re: A simple(?) question about $_SESSION
Posted: Sun Jan 20, 2008 6:21 pm
by Chalks
That's all great to hear, thanks for the information (as usual, you guys are awesome)!
So, from what you all seem to be saying, it's ok to store light-medium sensitive (e.g. current user id) information in a session as long as I'm regenerating SIDs?
arborint wrote:...The usual way to reduce this problem is to regenerate the session id regularly
How regularly? Every five minutes? Every time they visit the index page?
Re: A simple(?) question about $_SESSION
Posted: Sun Jan 20, 2008 6:23 pm
by VladSun
Chalks wrote:So, from what you all seem to be saying, it's ok to store light-medium sensitive (e.g. current user id) information in a session as long as I'm regenerating SIDs?
Yes - it minimizes the "time window" for stealing the session id.
Chalks wrote:arborint wrote:...The usual way to reduce this problem is to regenerate the session id regularly
How regularly? Every five minutes? Every time they visit the index page?
Every time they visit a page.
Re: A simple(?) question about $_SESSION
Posted: Sun Jan 20, 2008 6:34 pm
by Chalks
VladSun wrote:Every time they visit a page.
So... put the code to change SID in my common header? Doesn't that create a strain on the server, or is it so minimal as to be unnoticable?
Re: A simple(?) question about $_SESSION
Posted: Sun Jan 20, 2008 6:41 pm
by VladSun
It has a minimal strain on the server
