well we have read tutorials on php sessions...most of them tend to say...session on shared server can be a problem..
well we have a site hosted in dedicated server and for the authethication
what we do is on successful login...we start session with the variables from database..
on subsequent pages the existence of session is checked to ensure valid members and then the user id stored in the session indentifies the member ..means while posting message and all...user_id stored in session is used to insert user id to database...
so is session great concern for us...or do we need to worry about session hijacking...
is our authetication model safe..secure or healthly...
any loophole in it...
(sql injection and css has been looked in to)
session on dedicated server
Moderator: General Moderators
Re: session on dedicated server
That is probably "ok" for a dedicated sever, but it is still a very bad methodology for user authentication.
I wrote about the proper way to handle user authentication in this post:
viewtopic.php?f=34&t=83111#p465635
The summary is that you should not store ANY MEANINGFUL DATA in a user's cookies or sessions. And a user's userid counts as meaningful data. Read the post and consider reworking your system if my method makes sense.
Edit: I am being a little harsh in this post, sorry. On a dedicated server technically the security issues with using sessions in the way that you are using them are minimal. However, I still strongly suggest you use my methodology, as I feel that it is a more elegant more secure system with gives the coder alot more flexibility.
I wrote about the proper way to handle user authentication in this post:
viewtopic.php?f=34&t=83111#p465635
The summary is that you should not store ANY MEANINGFUL DATA in a user's cookies or sessions. And a user's userid counts as meaningful data. Read the post and consider reworking your system if my method makes sense.
Edit: I am being a little harsh in this post, sorry. On a dedicated server technically the security issues with using sessions in the way that you are using them are minimal. However, I still strongly suggest you use my methodology, as I feel that it is a more elegant more secure system with gives the coder alot more flexibility.
Re: session on dedicated server
any way thanks ...
Taken from your that post
SO we THINK AS IT IS DEDICATED SERVER IT IS NOT THE PROBLEM OR SOLUTION...OR MATTER OR CONCERN...
and some hash variable for extra precaution...
I THINK ENCRYPTION IS ALSO MATTER OF SHARED SERVER
AND besides
i think there are around 200-300 visitor at a instance in our site and around 50 registered user logging in and out...and with it we see massive inserting,deletion (session table) and lots of extra database calls..so this can result in to degraded database performance....
any way thanks for your suggestion..
please any other...
Taken from your that post
but looking at it the only difference here is rather than server's shared session location the data are being saved on database...and as said on "clients computer"....as far as we know session are not stored in client's computers...You ought to do something like the following method:
On login:1) Verify that a user entered in the right username/password.
2) Generate a random unique LONG hash.
3) Delete all entries from the Sessions table where userid = the user's userid.
3) Store the userid and the aforementioned long hash in a table called: sessions.
4) Set either $_SESSIONS[] or set a cookie that stores the long random hash on the client's computer.
5) When the user goes from page to page fetch the value assigned to the $_SESSIONS array or to the $_COOKIES array and select from table SESSIONS where hash = $_COOKIES['siteauth_hash'] and if you find a match your script knows with absolute certainty that the user has logged in properly.
Your script should confirm if a user is logged in, and then fetch the confirmed userid in the SESSIONS table and use that id to fetch information about that user from other tables. (Like a "user" table.)
This method doesn't store any meaningful information on the client's computer.
SO we THINK AS IT IS DEDICATED SERVER IT IS NOT THE PROBLEM OR SOLUTION...OR MATTER OR CONCERN...
and some hash variable for extra precaution...
I THINK ENCRYPTION IS ALSO MATTER OF SHARED SERVER
AND besides
i think there are around 200-300 visitor at a instance in our site and around 50 registered user logging in and out...and with it we see massive inserting,deletion (session table) and lots of extra database calls..so this can result in to degraded database performance....
any way thanks for your suggestion..
please any other...
Re: session on dedicated server
The insertion/deletion would only occur on login/logout. Its a mute point, it will not add any significant overhead to your server in relation to the overhead of normal operations.
As I mentioned, I was a bit harsh. Your system is relatively secure. However, my system is something you ought to think about as it does give you more control over the handling of user sessions. For example, you can prevent two people from being logged in on the same account at the same time fairly easily.
But, its purely optional in your case. Just something to consider.
As I mentioned, I was a bit harsh. Your system is relatively secure. However, my system is something you ought to think about as it does give you more control over the handling of user sessions. For example, you can prevent two people from being logged in on the same account at the same time fairly easily.
But, its purely optional in your case. Just something to consider.
Re: session on dedicated server
thanks any way well we are saying around 50 users at a instance and 300 visitors ..means there can be lots of login and logout going on....Attilitus wrote:The insertion/deletion would only occur on login/logout. Its a mute point, it will not add any significant overhead to your server in relation to the overhead of normal operations.
As I mentioned, I was a bit harsh. Your system is relatively secure. However, my system is something you ought to think about as it does give you more control over the handling of user sessions. For example, you can prevent two people from being logged in on the same account at the same time fairly easily.
But, its purely optional in your case. Just something to consider.
so this may not be very big issue performance wise...but we were trying to two part of tradeoff...ie what is being acheived with those all database calls (or overhead)...so at this moment so dont see much worth in doing it..
any way thanks ....
any body is there any flaw in our model...
Re: session on dedicated server
How do you handle the expiration of sessions?
Re: session on dedicated server
]Attilitus wrote:How do you handle the expiration of sessions?
on logout we do
$_SESSION = array();
session_destroy();
setcookie (session_name(), '', time()-400);
-
WebbieDave
- Forum Contributor
- Posts: 213
- Joined: Sun Jul 15, 2007 7:07 am
Re: session on dedicated server
The number one thing you must do when addressing security is exactly that: worry about it. That's the best start. PHP deals with session hijacking by trying to make the session ids hard to guess. You'll still want to ensure that any session ids that can be used to access important information are used for a short time and discarded. Session fixation can be stopped by not allowing session ids in the URL.rami wrote:so is session great concern for us...or do we need to worry about session hijacking...
You didn't mention how long sessions are allowed to last or what kind of information can be accessed. When important information is about to be accessed, you can check the session length and determine if reasking for the password is appropriate. Your model is fine but just don't allow sessions to linger for too long. Also, as you are now using a dedicated server, you'll want to ensure that files in your sessions directory are being properly cleared in a timely manner.
Re: session on dedicated server
Store only temporary data in sessions. Do not store confidential information like passwords in sessions. Always use encoding for security.
Enjoy coding
Enjoy coding