Page security session or database based?
Moderator: General Moderators
-
immortalnights
- Forum Newbie
- Posts: 3
- Joined: Tue Jul 29, 2008 6:33 pm
Page security session or database based?
I have a question to which I have tried to look for an answer elsewhere, but instead get swapped with relative stuff, but way too much to really get to the point I am looking for.
In a PHP based login part of a site; the secure part where by users have to login with a username and password to access so far as I have learned it is poor practice to use a $_SESSION variable to determine if the user is logged in after checking the username and password.
For example, on each page using the "$_SESSION['loggedin'] = 1" to determine that the user is valid and allowed to view the secure contents.
The way I know instead is to store the users session Id in the database and verify that the users username and session continue to be identical throughout their visit. If they are not, kick the user out.
Hopefully I have describe them correctly. What I'd like to know, is why the first session variable system is less secure, it would be useful if whomever knows the answer could point me to somewhere that covers that kind of thing in more detail.
Google for "PHP security" returns way to much for me to get a decent answer sooner rather then later. SO I would very much appreciate some decent answers.
As for those interested in why; I've been working on a secure site and after implementing the second database related method I ended up (friendly) arguing with a co-worker about the two methods. Although I am sure the database one is right (though I am willing to be proved wrong of course) I was unable to provide a solid example as to why.
Thank you for your time and help.
In a PHP based login part of a site; the secure part where by users have to login with a username and password to access so far as I have learned it is poor practice to use a $_SESSION variable to determine if the user is logged in after checking the username and password.
For example, on each page using the "$_SESSION['loggedin'] = 1" to determine that the user is valid and allowed to view the secure contents.
The way I know instead is to store the users session Id in the database and verify that the users username and session continue to be identical throughout their visit. If they are not, kick the user out.
Hopefully I have describe them correctly. What I'd like to know, is why the first session variable system is less secure, it would be useful if whomever knows the answer could point me to somewhere that covers that kind of thing in more detail.
Google for "PHP security" returns way to much for me to get a decent answer sooner rather then later. SO I would very much appreciate some decent answers.
As for those interested in why; I've been working on a secure site and after implementing the second database related method I ended up (friendly) arguing with a co-worker about the two methods. Although I am sure the database one is right (though I am willing to be proved wrong of course) I was unable to provide a solid example as to why.
Thank you for your time and help.
- jaoudestudios
- DevNet Resident
- Posts: 1483
- Joined: Wed Jun 18, 2008 8:32 am
- Location: Surrey
Re: Page security session or database based?
All the php books I have read cover SESSION hijacking. This is why it is not secure, however there are ways around it with unique random IDs. It is quite an in depth subject. Database will be more secure however, it will be slower as it will have to go to the mysql service to get the results.
-
immortalnights
- Forum Newbie
- Posts: 3
- Joined: Tue Jul 29, 2008 6:33 pm
Re: Page security session or database based?
Thanks for the reply. I understand there is a lot too it, I guess that's why I was unable to really find a clear answer.
However, with session hijacking, wouldn't either method be as insecure as the other. Since they know the session ID; they then match what the database has and are verified.
If; on each verification I changed the session ID would that be a potential solution, though how much harder is it to implement around doing that?
However, with session hijacking, wouldn't either method be as insecure as the other. Since they know the session ID; they then match what the database has and are verified.
If; on each verification I changed the session ID would that be a potential solution, though how much harder is it to implement around doing that?
Re: Page security session or database based?
It is very simple. I handle my sessions in this way (renewing the session id on every page before they view it) and it pretty much stops session hijacking (although if someone really wants to hack a site, any site is vulnerable). Simply put
right after
on every page.
Code: Select all
session_regenerate_id();Code: Select all
session_start();-
immortalnights
- Forum Newbie
- Posts: 3
- Joined: Tue Jul 29, 2008 6:33 pm
Re: Page security session or database based?
Yes; I saw that call in the PHP site. However if your authenticating the user based on their session, chaining the session each time would be impossible.
In that instance, using a session variable (like "loggedin"=1) is better then using a database.
Instead of storing the active session in the database to determine if the user is logged in, would some hash of the time they logged in (or some other highly unique data) queried at the same time as the username (to ensure authenticity) be better?
I think I understand what I am trying to say, and how to go about doing it; so I hope other do also and therefore help to assume me that it would be more secure then both the originally posted systems.
In that instance, using a session variable (like "loggedin"=1) is better then using a database.
Instead of storing the active session in the database to determine if the user is logged in, would some hash of the time they logged in (or some other highly unique data) queried at the same time as the username (to ensure authenticity) be better?
I think I understand what I am trying to say, and how to go about doing it; so I hope other do also and therefore help to assume me that it would be more secure then both the originally posted systems.
Re: Page security session or database based?
You can actually completely rewrite how PHP stores session data. In this way, you can use sessions as you always do, but the data can be stored for instance in a database, and/or you can use encryption (you can do pretty much whatever you want with the data). Session data is usually stored in a temporary directory on the server, and can theoretically be accessed by anyone using the server. Switching to a database will make sessions more secure. Though, as noted, it's slower (having the database server running on the same computer as the web server will speed things up a bit).
So, take a look at rewriting how PHP stores session data.
So, take a look at rewriting how PHP stores session data.
- allspiritseve
- DevNet Resident
- Posts: 1174
- Joined: Thu Mar 06, 2008 8:23 am
- Location: Ann Arbor, MI (USA)
Re: Page security session or database based?
Wait, could somebody please explain or link to an article on why keeping session data in the database is more secure than keeping the user's id in $_SESSION?
-
alex.barylski
- DevNet Evangelist
- Posts: 6267
- Joined: Tue Dec 21, 2004 5:00 pm
- Location: Winnipeg
Re: Page security session or database based?
Bad practice? Why do you say that? On the contrary I would argue it's probably a best practice.immortalnights wrote:In a PHP based login part of a site; the secure part where by users have to login with a username and password to access so far as I have learned it is poor practice to use a $_SESSION variable to determine if the user is logged in after checking the username and password.
That is how most applications do it.For example, on each page using the "$_SESSION['loggedin'] = 1" to determine that the user is valid and allowed to view the secure contents.
You can store SESSION data literally anywhere, by default they are stored in files at a location specified by php.ini. You could write an abstraction layer for SESSION's and store the data in a database or in memory using SHMOP if you wanted to. Each storage medium has it's pros and cons.The way I know instead is to store the users session Id in the database and verify that the users username and session continue to be identical throughout their visit. If they are not, kick the user out.
The storage medium is what is insecure (under different circumstances). If you are on a shared host, it's possible for another user on the same host to read your session data and thus hijack your SESSION. If you are on a dedicated machine...this is not likely an issue. It's well known tradeoff of convience versus security and most professional developers will use SESSION as it's far easier and clear than implementing your own statefulness using custom database storage and lookup techniques.Hopefully I have describe them correctly. What I'd like to know, is why the first session variable system is less secure, it would be useful if whomever knows the answer could point me to somewhere that covers that kind of thing in more detail.
Again...using $_SESSION is not what is insecure it's the storage medium. If you really think others are going to steal your session files on a shared host, you should probably request your hosting company re-evaluates their security and usage policies as opposed to implementing your own. You could also just write an abstraction layer for $_SESSION and store the data in a database.As for those interested in why; I've been working on a secure site and after implementing the second database related method I ended up (friendly) arguing with a co-worker about the two methods. Although I am sure the database one is right (though I am willing to be proved wrong of course) I was unable to provide a solid example as to why.
If I understand you correctly you are currently generating a SID whenever someone logs into your system...storing that SID in a cookie and registering a session SID with a custom database table that you look up to determine authentication status. Basically you are re-inventing the wheel because that is exactly what PHP session support does.
http://ca.php.net/manual/en/function.se ... andler.php
Read the above link...it document how to switch from native file storage to something a little more secure like a database.
-
alex.barylski
- DevNet Evangelist
- Posts: 6267
- Joined: Tue Dec 21, 2004 5:00 pm
- Location: Winnipeg
Re: Page security session or database based?
It's not that $_SESSION is insecure...it's the storage medium.Wait, could somebody please explain or link to an article on why keeping session data in the database is more secure than keeping the user's id in $_SESSION?
Anyways...only on shared hosts...because most are setup so that PHP runs as an apache module -- so as I understand when the session files are created (although they are stored in a location un-accessible from the Internet) they are globally accessible by anyone on that shared server.
So if I knew you hosted with company XYZ I could rent a shared host hopefully on the same physical machine as you and possibly steal your session data and hijack your session. At least this is the conclusion I have come to about session security in this regard.
On a dedicated machine this is not a concern however one might still wish to store sessions in a database for the sake of speed.
- allspiritseve
- DevNet Resident
- Posts: 1174
- Joined: Thu Mar 06, 2008 8:23 am
- Location: Ann Arbor, MI (USA)
Re: Page security session or database based?
Gotcha.Hockey wrote:It's not that $_SESSION is insecure...it's the storage medium.