something about session
Moderator: General Moderators
something about session
hi guys. i came across some articles about session by chris shiflett.
http://shiflett.org/articles/the-truth-about-sessions
http://shiflett.org/articles/session-fixation
http://shiflett.org/articles/session-hijacking
http://shiflett.org/articles/storing-se ... a-database
he recommended some techniques on better handling of sessions. in the last article, i understand that storing session in a db is safer in a shared hosting environment.
but i would like to ask is that, if storing session is db is implemented, the techniques in his other articles still valid? as in i still need to write those codes in my app?
thanks,
still very new to php :p
http://shiflett.org/articles/the-truth-about-sessions
http://shiflett.org/articles/session-fixation
http://shiflett.org/articles/session-hijacking
http://shiflett.org/articles/storing-se ... a-database
he recommended some techniques on better handling of sessions. in the last article, i understand that storing session in a db is safer in a shared hosting environment.
but i would like to ask is that, if storing session is db is implemented, the techniques in his other articles still valid? as in i still need to write those codes in my app?
thanks,
still very new to php :p
- Kieran Huggins
- DevNet Master
- Posts: 3635
- Joined: Wed Dec 06, 2006 4:14 pm
- Location: Toronto, Canada
- Contact:
Re: something about session
I have to say, those techniques are rarely justified and they add a potential annoyance to the user. For instance: generating a new hash per request can break the back button (we've all been annoyed with having our sessions destroyed in this manner) and using the UserAgent method is far from secure if the session is hijacked by a browser vulnerability.
Re-examine if that kind of security is really necessary.
All that being said, storing the session data in the DB shouldn't prevent any of those methods from being used.
Re-examine if that kind of security is really necessary.
All that being said, storing the session data in the DB shouldn't prevent any of those methods from being used.
Re: something about session
ic.. thanks for the reply 
one of the article commented using of token instead of http headers.
This token should then be propagated with each request, using a different method than used to propagate the session identifier
i do not understand how to propagated the token, as in terms of coding?
if the token is propagated via url, and for each request, the token is verified against $_SESSION['token'], how does it prevent hacking?
one of the article commented using of token instead of http headers.
Code: Select all
<?php $token = md5(uniqid(rand(),TRUE)); $_SESSION['token'] = $token; ?>i do not understand how to propagated the token, as in terms of coding?
if the token is propagated via url, and for each request, the token is verified against $_SESSION['token'], how does it prevent hacking?
- Chris Corbyn
- Breakbeat Nuttzer
- Posts: 13098
- Joined: Wed Mar 24, 2004 7:57 am
- Location: Melbourne, Australia
Re: something about session
Via the URL or POST yes. It doesn't prevent session hijacking, it simply makes it harder because it's one extra piece of information you need. You're effectively passing an authentication token around in all requests... which would be fairly easy to sniff.ibolui wrote:ic.. thanks for the reply
one of the article commented using of token instead of http headers.
This token should then be propagated with each request, using a different method than used to propagate the session identifierCode: Select all
<?php $token = md5(uniqid(rand(),TRUE)); $_SESSION['token'] = $token; ?>
i do not understand how to propagated the token, as in terms of coding?
if the token is propagated via url, and for each request, the token is verified against $_SESSION['token'], how does it prevent hacking?
Re: something about session
Hello!
We save token in server side,Then why do need to use it in every request
We need only to compare it in server.Then how is it possible to sniff?
Please make me correct If I can't understand:Via the URL or POST yes. It doesn't prevent session hijacking, it simply makes it harder because it's one extra piece of information you need. You're effectively passing an authentication token around in all requests... which would be fairly easy to sniff.
Code: Select all
<?php $token = md5(uniqid(rand(),TRUE));
$_SESSION['token'] = $token; ?>
We need only to compare it in server.Then how is it possible to sniff?
Re: something about session
What are you going to compare it to? You would have to compare it to the value sent by the client, since there isn't much to be gained in comparing two values that both exist on the server.abalfazl wrote: We need only to compare it in server.Then how is it possible to sniff?
On the other hand, I must be daft, but I can see no way in which this method increases the chances that the client is who they claim to be. What is the difference between passing one client token (the standard PHP session cookie) and passing two?
If a hacker is attempting to hijack the session, it is no harder to send two cookies / tokens / whatever back to the server rather than one.
Re: something about session
Hello!
It is said:
We create a session ID and a token for a User ,Then token is in session array with a special session ID.
A hacker steals Session Id of user and enters the site,
Now what would happen next?Can a hacker find the token?
I think Token is saved in server and do not transfer through the Network. Right?
Then How a hacker can access the to the token?
It is said:
Please explain for me,I disturb,You're effectively passing an authentication token around in all requests... which would be fairly easy to sniff.
We create a session ID and a token for a User ,Then token is in session array with a special session ID.
A hacker steals Session Id of user and enters the site,
Now what would happen next?Can a hacker find the token?
I think Token is saved in server and do not transfer through the Network. Right?
Then How a hacker can access the to the token?
Re: something about session
Hi aba,
Sounds like you are pretty new to sessions. Read the following, as it will help you understand what sessions are and how they are implemented in PHP, otherwise you will continue to be confused:
http://us2.php.net/session
Good luck!
Sounds like you are pretty new to sessions. Read the following, as it will help you understand what sessions are and how they are implemented in PHP, otherwise you will continue to be confused:
http://us2.php.net/session
Good luck!