Managing Session

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
kecebong_soft
Forum Newbie
Posts: 1
Joined: Sun Feb 24, 2008 6:08 am

Managing Session

Post by kecebong_soft »

Hi,

I am currently developing a website that can be accessed in mobile phone. Because not all of mobile browser doesn't support cookie, so I need to put the sessionid on every url, and that increase the filesize :-(.

So I make a plan to store the session ID in the database, and attach the ID of the record in every URL, i.e : index.php?sid=1, the workflow is something like this :


1. User visit the website
2. Check wheter $_GET['sid'] is exists or not, if not, store new session id, user agent/browser, and ip address into database
3. Get the record id, and set value of 'sid' variable in the url to record id (i.e. index.php?sid=1)

When the user visit the website, the system will check the 'sid' variable first, and match the criteria (useragent and ip address), if visitor's useragent and ip is same with the record in the database, system will allow the visitor to use that session id, if not, then the system create new session id.

is that secure? I never use this method before, is there any chance to hack this method?. am also want to use timestamp to record the visitor's activity, if user try to use the same 'sid' after 30mins, then the 'sid' will not usable again.

thanks.
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Managing Session

Post by Mordred »

Session IDs are long so that they can't be easily guessed. What you propose is exactly the opposite of this property.

Tying the SID with ipis good for an additional security measure, if the user agrees to it in his account settings. For some users this is not applicable, as they are behind a proxy out of their control, which uses different IPs for each request. I suspect that this may often be the case with mobile internet, although I'm far from certain.

Tying useragent to session is not a significant improvement to the security, as an attacker can simply try a list of most common ones (again, with mobiles, this list may be much shorter than the equivalen PC list).
Post Reply