Sessions Vs. Cookies re: Security

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
Stryks
Forum Regular
Posts: 746
Joined: Wed Jan 14, 2004 5:06 pm

Sessions Vs. Cookies re: Security

Post by Stryks »

I've been reading around, thrying the get as much info as I could before starting in on my user authentication system, but I'm somewhat at a loss as to what sort or level of security is needed.

For example, I've read that sessions are easy to use, but that if the session ID is leaked then anyone can assume the identity of that session holder.

Then there are cookies, and for some reason I dont see any reference anywhere to security issues with cookies, which is odd to my mind, as the whole session ID problem appears to relate to the value stored inside the session cookie anyhow.

So lets just say that someone is monitoring my website traffic (one of the vulnerabilities listed under sessions) then arent they also going to see any info I have in a cookie? And even if I then encrypt that info, cant they just send the info raw and let the server react the way it would for the real cookie holder?

It's all pretty confusing to my mind, especially as I like the idea of using sessions for tracking info during a visit, but I like the idea of using cookies to hold the information to allow automatic login for x amount of days.

Can anyone shed any light on any of this for me? Thanks :?
User avatar
ol4pr0
Forum Regular
Posts: 926
Joined: Thu Jan 08, 2004 11:22 am
Location: ecuador

session

Post by ol4pr0 »

Well about the security of a SessionID

its not true that after sometime you can copy and paste the lines and go back to where <whereever>

since there is a session_start()

there is also a session_save_path() < which enables you to set a time for the session ID

http://www.php.net/session
Gen-ik
DevNet Resident
Posts: 1059
Joined: Mon Aug 12, 2002 7:08 pm
Location: London. UK.

Post by Gen-ik »

Sessions() are more secure than cookies. If you set a cookie with PHP it is stored on the users machine (client-side)... sessions however store their information on the server which is (in most cases) outside of public access.
User avatar
Stryks
Forum Regular
Posts: 746
Joined: Wed Jan 14, 2004 5:06 pm

Post by Stryks »

ol4pr0 - By mentioning the ability to set the expiry time for a session, are you saying I could set the expiry for set number of days and thereby skip the need for a login cookie? I ask because, well, my sessions seem to reset if I leave the site and come back .. or if I close the browser and re-open it.

Gen-Ik - I was under the impression that the session is created with an ID number, which is then sent and stored on the client machine in a cookie, which is how the Session_start() function knows what session to give you. So if someone built a cookie using data somehow gathered from the cookie, and went to your site, then the server would load the session for that session ID, basically meaning that the second person was logged in as the first.

Sorry if I am getting all of this back to front ... I'm just trying to find a way to get my mind around the two concepts an how they work in terms of security.

Thanks :)
User avatar
DuFF
Forum Contributor
Posts: 495
Joined: Tue Jun 24, 2003 7:49 pm
Location: USA

Post by DuFF »

I ask because, well, my sessions seem to reset if I leave the site and come back .. or if I close the browser and re-open it.
This is exactly how sessions are supposed to act. If you leave the site or close the browser, the session resets.

To add increased security, on every page you can check for another session value that you set at the beggining of the session.

Heres an example that I use, I found it on PHP.net comments long ago:

Code: Select all

<?php
                        //get the unique time that this user has logged in at
                        $time_started = md5(mktime());

                        //encrypt the username
                        $secure_session_user = md5($_POST['username']);

                        //set username
                        $_SESSION['username']  = $_POST['username'];

                        //this session_key will be used to authenticate on every page
                        $_SESSION['session_key']     = $time_started . $secure_session_user . session_id();
                        $_SESSION['current_session'] = $_POST['username']"=".$_SESSION['session_key'];

// then on top of every page you want to check for user authentication use this
                    if ($_SESSION['current_session'] != $_SESSION['username']."=".$_SESSION['session_key'])
                    {
                      die("Your session has expired, please login.");
                    }
?>
This will create session variables something like this:

Code: Select all

$_SESSION&#1111;'username'] = "DuFF"
$_SESSION&#1111;'session_key'] = "f5e77298b3d4148be862" . . . (64chars long)
$_SESSION&#1111;'current_session'] = "DuFF=f5e77298b3d4148be862" . . .
So on every page you are comparing the username + session_key to the current_session. Seems pretty secure to me :wink:
Post Reply