0

I have seen many scripts mixing sessions, with cookies and having two session names, the username or ID and the session ID.

Is this secure?:

    if ($this->login($username, $password))
    {
        // everything works..
        $_SESSION['name'] = $username;
    }

Why do you need to generate a new Session ID? Why mix cookies with it? and what are the best ways to do it to prevent most of the attacks?

Junatanm Degraded
  • 137
  • 1
  • 14
  • Because User X can get/steal/generate the session ID of user A. Because it's the easiest way for your server to know who a user is. Validate the session/user somehow and use HTTPS. – JimL Jul 19 '13 at 12:12
  • 1
    @JimL: "Validate the session/user somehow" - please clarify it. – zerkms Jul 19 '13 at 12:13

3 Answers3

0
  1. You generate session id's for each unique user so no data is shared!
  2. You use cookies to be able to use transparent sessions. So you don't have to pass the session id in every URL
  3. Read some of the comments in this thread
Community
  • 1
  • 1
tlenss
  • 2,609
  • 2
  • 22
  • 26
  • Oh I see, can you please show me a little example of the session id & cookies? – Junatanm Degraded Jul 19 '13 at 12:19
  • You already did that in your own example. Unless you have session.use_cookies disabled. Then you would need to pass the SESSID along with each request – tlenss Jul 19 '13 at 12:21
0

sessions are generally considered secure if you use session_regenerate_id(), especially if you use HTTPS.

Every other security issue depends on your code (-> the way you handle data):

  • user inputs
  • how you store data (pw/email)
  • how you keep the user logged in
  • how you pass information
  • ..
qsi
  • 683
  • 1
  • 7
  • 16
  • Using `session_regenerate_id()` does not really make a session "secure". For example, if someone has hijacked/fixated on a session and you regenerate it, you could potentially send the attacker the new session ID, leaving your actual user locked out without a valid session id. Not saying it's not beneficial to regenerate ids, but only when paired with other validation. – Mattiavelli Jul 19 '13 at 13:24
  • You are right, `session_regenerate_id()`does not make a session suddenly secure. It does make it "securer" though. On the other hand that's not actually what I wrote, I wrote that sessions are generally considered secure if you use `session_regenerate_id()`. EDIT: I should have added this `ini_set('session.use_only_cookies', 1)` – qsi Jul 22 '13 at 09:52
  • Yep, I figured you knew what you were talking about. I just wanted to clarify for some of those that may have been unaware! Take care – Mattiavelli Jul 22 '13 at 13:08
0

Ok, session security is quite a complex issue in reality as there are a lot of things to consider.

First of all you want to consider how your session data itself is stored. By default PHP stores session data in files located on your web server. If you have dedicated hosting this is perfectly acceptable however shared hosting plans can occasionally (and accidently) grant users of other hosting accounts on the server access to that session data. You are able to overwrite the default session behaviour to write to a database or a location you have secured yourself however, I'm not going to go into detail about this in this answer.

Secondly you have to take into account session theft. You must ensure that your sessions use cookies instead of the significantly more dangerous url based option. I would then create a second cookie to store user data that should remain the same under normal session conditions. This should NOT be an IP address as this is subject to change however, the user should not be changing browsers during the session so their user agent should do fine. If you combine this with private data from your system (user id etc...) and then hash it you have a some additional data to check against that is pretty much impossible for an attacker to guess.

If ensure that you are using an SSL connection and you regenerate the session id upon login you should have yourself a secure system. I do feel like I have missed out a few things but i'll keep it short and sweet and leave it there for you to continue your research.

Hope this helps a little,

Ryan

Ryan Lund
  • 128
  • 1
  • 9
  • Oh, it's also important to remember that this alone will not secure your system. Please remember to protect yourself against things like SQL injection attacks, validate all user input and to ensure your users data is stored in a safe manner (no plain text passwords etc) – Ryan Lund Jul 19 '13 at 12:53