Page 1 of 1

something about session

Posted: Thu May 15, 2008 12:23 am
by ibolui
hi guys. i came across some articles about session by chris shiflett.

http://shiflett.org/articles/the-truth-about-sessions
http://shiflett.org/articles/session-fixation
http://shiflett.org/articles/session-hijacking
http://shiflett.org/articles/storing-se ... a-database

he recommended some techniques on better handling of sessions. in the last article, i understand that storing session in a db is safer in a shared hosting environment.

but i would like to ask is that, if storing session is db is implemented, the techniques in his other articles still valid? as in i still need to write those codes in my app?

thanks,
still very new to php :p

Re: something about session

Posted: Thu May 15, 2008 1:28 am
by Kieran Huggins
I have to say, those techniques are rarely justified and they add a potential annoyance to the user. For instance: generating a new hash per request can break the back button (we've all been annoyed with having our sessions destroyed in this manner) and using the UserAgent method is far from secure if the session is hijacked by a browser vulnerability.

Re-examine if that kind of security is really necessary.

All that being said, storing the session data in the DB shouldn't prevent any of those methods from being used.

Re: something about session

Posted: Thu May 15, 2008 1:46 am
by ibolui
ic.. thanks for the reply :)

one of the article commented using of token instead of http headers.

Code: Select all

<?php $token = md5(uniqid(rand(),TRUE)); $_SESSION['token'] = $token; ?>
This token should then be propagated with each request, using a different method than used to propagate the session identifier

i do not understand how to propagated the token, as in terms of coding?
if the token is propagated via url, and for each request, the token is verified against $_SESSION['token'], how does it prevent hacking?

Re: something about session

Posted: Fri May 23, 2008 6:18 pm
by Chris Corbyn
ibolui wrote:ic.. thanks for the reply :)

one of the article commented using of token instead of http headers.

Code: Select all

<?php $token = md5(uniqid(rand(),TRUE)); $_SESSION['token'] = $token; ?>
This token should then be propagated with each request, using a different method than used to propagate the session identifier

i do not understand how to propagated the token, as in terms of coding?
if the token is propagated via url, and for each request, the token is verified against $_SESSION['token'], how does it prevent hacking?
Via the URL or POST yes. It doesn't prevent session hijacking, it simply makes it harder because it's one extra piece of information you need. You're effectively passing an authentication token around in all requests... which would be fairly easy to sniff.

Re: something about session

Posted: Thu Jul 24, 2008 2:08 am
by abalfazl
Hello!
Via the URL or POST yes. It doesn't prevent session hijacking, it simply makes it harder because it's one extra piece of information you need. You're effectively passing an authentication token around in all requests... which would be fairly easy to sniff.
Please make me correct If I can't understand:

Code: Select all

 
<?php $token = md5(uniqid(rand(),TRUE)); 
$_SESSION['token'] = $token; ?>
 
We save token in server side,Then why do need to use it in every request
We need only to compare it in server.Then how is it possible to sniff?

Re: something about session

Posted: Thu Jul 24, 2008 8:55 am
by ghurtado
abalfazl wrote: We need only to compare it in server.Then how is it possible to sniff?
What are you going to compare it to? You would have to compare it to the value sent by the client, since there isn't much to be gained in comparing two values that both exist on the server.

On the other hand, I must be daft, but I can see no way in which this method increases the chances that the client is who they claim to be. What is the difference between passing one client token (the standard PHP session cookie) and passing two?

If a hacker is attempting to hijack the session, it is no harder to send two cookies / tokens / whatever back to the server rather than one.

Re: something about session

Posted: Thu Jul 24, 2008 9:45 am
by abalfazl
Hello!

It is said:
You're effectively passing an authentication token around in all requests... which would be fairly easy to sniff.

Please explain for me,I disturb,

We create a session ID and a token for a User ,Then token is in session array with a special session ID.
A hacker steals Session Id of user and enters the site,

Now what would happen next?Can a hacker find the token?

I think Token is saved in server and do not transfer through the Network. Right?

Then How a hacker can access the to the token?

Re: something about session

Posted: Thu Jul 24, 2008 10:36 am
by ghurtado
Hi aba,

Sounds like you are pretty new to sessions. Read the following, as it will help you understand what sessions are and how they are implemented in PHP, otherwise you will continue to be confused:

http://us2.php.net/session

Good luck!