Encrypting session id & keeping alive

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
Riquez
Forum Newbie
Posts: 10
Joined: Sun Feb 17, 2008 6:39 pm

Encrypting session id & keeping alive

Post by Riquez »

Hi,
I'm new to this forum & this is my first post. Most of the time I muddle through & solve my own problems, but on this occasion I'd like the advice of others to make sure what I'm doing is OK & to ask a question.

I run an e-commerce site, all hand built, no off-the-shelf products used. Recently I had a few visitors complain that their baskets were getting emptied unexplainably. In this case, it suggests to me that their session id is expiring, but it seems from what they say it happens after only 1 or two mins of inactivity (not the usual 24 mins php default)
On the site I generate my own session id using a home-brew encryption formula.
Basically its something similar to this;

Code: Select all

$_SESSION['user']=md5($browser_id.$secret_phrase.session_id());
This session is set once when the user arrives & will be regenerated if the session is ever empty.

This session identifies the contents of the users basket, which is saved into a mysql basket table.

Two questions basically,
1) Do you think my user session is sufficiently secure in its encryption to protect against hijacking.
2) Regarding the session expiring, my guess is that its expiring after 24 mins because its not being refreshed each time a page loads. It may seem to the user that its only 1-2 mins of inactivity, but in reality its 24 mins since they first came to the website.
I'm unclear on this point so please can you confirm. Do I need to constantly update the session like this?

Code: Select all

if(!empty($_SESSION['user'])){
$_SESSION['user']=$_SESSION['user'];
}
OR, is the session automatically kept current each time a page loads anyway? Does session_start() keep a session current?

Many thanks for your input.
User avatar
hawkenterprises
Forum Commoner
Posts: 54
Joined: Thu Feb 28, 2008 9:56 pm
Location: gresham,oregon
Contact:

Re: Encrypting session id & keeping alive

Post by hawkenterprises »

A bunch of things here,

First of all you have a home-brewed sessions system, that gives you a great advantage over anyone figuring out your scheme to hijack. However since your posting on here more then likely you have a incomplete knowledge of the ins and outs of PHP let alone hosting.

I would be your empty carts might have something to do with your hosting and not your code. Shared hosting which is generally anything under $100/mo is going to ocassionally drop memory of sessions. It's because you share you box with others and things get stacked out 15 minutes waiting for processor time and well 15 minutes out for a session memory read can really wreck havoc on a commerce site.

I would recommend following some of the greats when it comes to security and PHP. http://toys.lerdorf.com/ is Rasmus page who currently employed by yahoo but is a great mentor to read from
Riquez
Forum Newbie
Posts: 10
Joined: Sun Feb 17, 2008 6:39 pm

Re: Encrypting session id & keeping alive

Post by Riquez »

Thanks for the reply.
Your link has been added to my bookmarks ;-)

I have about 5 years experience with PHP, I am by no means an expert, but neither am I a newbie. I'm not a trained programmer, (actually I'm a designer) I studied ASP in a work environment for a while & then took it upon myself to learn PHP. Indeed there are gaps in my knowledge.
Our server is dedicated RHEL & moderately spec'd. We get an around 7K-10K visitors daily. General server admin on Linux I'm ok with. But some more complex issues are a problem.

Since I posted, I implemented some code similar to the above to repopulate the session on each page. So far no more users have mentioned it, so it may have been fixed (or may not ;-)). I also optimised some mysql settings (specifically query caching) & have noticed a remarkable improvement there.
It could be that mysql was not coping at busy times, & dropping basket inserts - the query caching has definitely reduced the load.

I would still like to know though my question about session life time. For example, a user logs in & their login session set. Will that session stay active indefinitely? (as long as they request pages every 24 mins)
OR, should the session be updated continuously?
I know its a fairly basic question, but something I have never seen mentioned.
User avatar
hawkenterprises
Forum Commoner
Posts: 54
Joined: Thu Feb 28, 2008 9:56 pm
Location: gresham,oregon
Contact:

Re: Encrypting session id & keeping alive

Post by hawkenterprises »

Thank you for the adds :)

Sessions stay a variety of times depending on the circumstances. If you set the expiration time via a function or changing the php.ini that should be the amount the session will stay active. Otherwise the default from the php.ini will be used as an expiration time. I forget what the exact names are but these two links will be of great help

http://us3.php.net/session
http://www.acros.si/papers/session_fixation.pdf [very white papery]

Now all the above aside here are some of the problems and why I put emphasis should.

* File issues (permissions, disk space, write times, read times etc)
* Database Issues (connection problems, temp table write times)
* Memory Issues (race conditions, lost/corrupt memory)
* Processor Issues (once again race conditions)

All of these above issues can cause sessions to have problems. Thus why client/server side pairing was invented. Generally this means to avoid problems with your server being a jerk and tossing information you had some of the information to the client via cookie.
This isn't fool proof though because clients can have cookies turned off.

So a combination of cookies, server and client side, and database temp tables will give your user the most pleasant experience of never losing their cart, always being recognized by your site etc.
Post Reply