SitePoint Sponsor

User Tag List

Results 1 to 6 of 6
  1. #1
    SitePoint Evangelist sp0om's Avatar
    Join Date
    Feb 2004
    Location
    MN
    Posts
    408
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    PHP Session Security

    I'm having difficulty wrapping my mind around the whole concept of securing session variables. What sorts of basic steps do you guys take to protect session variables?

    -sp0om

  2. #2
    SitePoint Wizard chris_fuel's Avatar
    Join Date
    May 2006
    Location
    Ventura, CA
    Posts
    2,751
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    That's a somewhat odd statement. Define exactly what you mean by securing session variables. Can you give an example so that we can provide you with a suitable answer?

  3. #3
    Follow Me On Twitter: @djg gold trophysilver trophybronze trophy Dan Grossman's Avatar
    Join Date
    Aug 2000
    Location
    Philadephia, PA
    Posts
    20,580
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by sp0om
    I'm having difficulty wrapping my mind around the whole concept of securing session variables. What sorts of basic steps do you guys take to protect session variables?

    -sp0om
    Unlike cookies, which are stored by the client (the web browser), session variables are stored on the server. By default, when PHP creates a session it creates a new file in a temporary directory (usually /tmp), which it reads every time the session is open. A garbage collection process deletes the files automatically after a certain time passes, which effectively 'times out' the sessions.

    All the browser sends back with each request is the session identifier given to it when you started the session. So unlike cookies, session variables can't be directly edited by the user.

    There is still a security concern though if you're in a shared web hosting environment -- everyone's PHP scripts store their sessions to the same location by default, and they're not tied to any account. Anyone on the server can read your user's sessions.

    If you check out the sessions portion of the PHP manual, there are settings for changing how and where session data is stored if you are interested.

  4. #4
    SitePoint Addict
    Join Date
    Mar 2005
    Posts
    314
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Sometimes it's safer to use a custom php class for storing session data in your database. This way, your session files are not sitting in some /tmp. By using a combination of SSL and sessions stored in your db, you can feel a little more secured.

    Peter

  5. #5
    SitePoint Evangelist sp0om's Avatar
    Join Date
    Feb 2004
    Location
    MN
    Posts
    408
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    How about this. When a user successfully logs in, I'll change a field in the user_information table to indicate he/she successfully logged in. On each page requiring a valid login, I'll run a function that checks the database to verify a valid login. So if a session is hijacked, it will only be usable while a user is logged in?

    Also, how do I view other session variables on my webserver? Not for hacking purposes, but if I know how to do this stuff, I'll better be able to protect myself. I've looked in my tmp directory, but ... yeah. I'm confused.

  6. #6
    SitePoint Evangelist
    Join Date
    Apr 2006
    Location
    Halifax, Canada
    Posts
    498
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I would have a function that generates a random string of 20 or 30 alphanumaric charachters. Send it as a cookie to the user, and insert it into a table with the user's name and a timestamp of when they logged in. For each page they visit, look for the cookie. If it is found, query the database for the alphanumaric code. If that is found, get the username and you will know that the user is logged in. You can use the timestamp to make the sessions expire after a certain amount of time.
    Paul Butler.org
    JSSpamBlock - Reduce WordPress spam.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •