something about session

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
ibolui
Forum Commoner
Posts: 27
Joined: Thu May 26, 2005 9:41 am

something about session

Post by ibolui »

hi guys. i came across some articles about session by chris shiflett.

http://shiflett.org/articles/the-truth-about-sessions
http://shiflett.org/articles/session-fixation
http://shiflett.org/articles/session-hijacking
http://shiflett.org/articles/storing-se ... a-database

he recommended some techniques on better handling of sessions. in the last article, i understand that storing session in a db is safer in a shared hosting environment.

but i would like to ask is that, if storing session is db is implemented, the techniques in his other articles still valid? as in i still need to write those codes in my app?

thanks,
still very new to php :p
User avatar
Kieran Huggins
DevNet Master
Posts: 3635
Joined: Wed Dec 06, 2006 4:14 pm
Location: Toronto, Canada
Contact:

Re: something about session

Post by Kieran Huggins »

I have to say, those techniques are rarely justified and they add a potential annoyance to the user. For instance: generating a new hash per request can break the back button (we've all been annoyed with having our sessions destroyed in this manner) and using the UserAgent method is far from secure if the session is hijacked by a browser vulnerability.

Re-examine if that kind of security is really necessary.

All that being said, storing the session data in the DB shouldn't prevent any of those methods from being used.
ibolui
Forum Commoner
Posts: 27
Joined: Thu May 26, 2005 9:41 am

Re: something about session

Post by ibolui »

ic.. thanks for the reply :)

one of the article commented using of token instead of http headers.

Code: Select all

<?php $token = md5(uniqid(rand(),TRUE)); $_SESSION['token'] = $token; ?>
This token should then be propagated with each request, using a different method than used to propagate the session identifier

i do not understand how to propagated the token, as in terms of coding?
if the token is propagated via url, and for each request, the token is verified against $_SESSION['token'], how does it prevent hacking?
User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Re: something about session

Post by Chris Corbyn »

ibolui wrote:ic.. thanks for the reply :)

one of the article commented using of token instead of http headers.

Code: Select all

<?php $token = md5(uniqid(rand(),TRUE)); $_SESSION['token'] = $token; ?>
This token should then be propagated with each request, using a different method than used to propagate the session identifier

i do not understand how to propagated the token, as in terms of coding?
if the token is propagated via url, and for each request, the token is verified against $_SESSION['token'], how does it prevent hacking?
Via the URL or POST yes. It doesn't prevent session hijacking, it simply makes it harder because it's one extra piece of information you need. You're effectively passing an authentication token around in all requests... which would be fairly easy to sniff.
abalfazl
Forum Commoner
Posts: 71
Joined: Mon Sep 05, 2005 10:05 pm

Re: something about session

Post by abalfazl »

Hello!
Via the URL or POST yes. It doesn't prevent session hijacking, it simply makes it harder because it's one extra piece of information you need. You're effectively passing an authentication token around in all requests... which would be fairly easy to sniff.
Please make me correct If I can't understand:

Code: Select all

 
<?php $token = md5(uniqid(rand(),TRUE)); 
$_SESSION['token'] = $token; ?>
 
We save token in server side,Then why do need to use it in every request
We need only to compare it in server.Then how is it possible to sniff?
User avatar
ghurtado
Forum Contributor
Posts: 334
Joined: Wed Jul 23, 2008 12:19 pm

Re: something about session

Post by ghurtado »

abalfazl wrote: We need only to compare it in server.Then how is it possible to sniff?
What are you going to compare it to? You would have to compare it to the value sent by the client, since there isn't much to be gained in comparing two values that both exist on the server.

On the other hand, I must be daft, but I can see no way in which this method increases the chances that the client is who they claim to be. What is the difference between passing one client token (the standard PHP session cookie) and passing two?

If a hacker is attempting to hijack the session, it is no harder to send two cookies / tokens / whatever back to the server rather than one.
abalfazl
Forum Commoner
Posts: 71
Joined: Mon Sep 05, 2005 10:05 pm

Re: something about session

Post by abalfazl »

Hello!

It is said:
You're effectively passing an authentication token around in all requests... which would be fairly easy to sniff.

Please explain for me,I disturb,

We create a session ID and a token for a User ,Then token is in session array with a special session ID.
A hacker steals Session Id of user and enters the site,

Now what would happen next?Can a hacker find the token?

I think Token is saved in server and do not transfer through the Network. Right?

Then How a hacker can access the to the token?
User avatar
ghurtado
Forum Contributor
Posts: 334
Joined: Wed Jul 23, 2008 12:19 pm

Re: something about session

Post by ghurtado »

Hi aba,

Sounds like you are pretty new to sessions. Read the following, as it will help you understand what sessions are and how they are implemented in PHP, otherwise you will continue to be confused:

http://us2.php.net/session

Good luck!
Post Reply