phat_hip_prog

KEEP CALM NOBODY IS PERFECT, this is just a discussion

using the id as a salt isn't really up to the job, if i was to look at how many registered users there are on the site (if shown) then i could make a guess at the id. generate a new pseudorandom string for each user on password generation many think of rainbow tables having to be generated for each instance, you can build a general lookup table for a given length keyspace, then you can just extract at will, i shouldn't mention that the same can be done for public keys or one time pass's, but yes that comes down to storage (public key primes are set to be a minimum size and generally not over a certain size, so the keyspace isn't as big as some report)(use references for less memory too!) numerous tutorials now tell you to regen the session_id on every page request, essentially making this simple cookie ref a nonce

never in my life seen it implimented that way so it doesn't use access, hmmm and it's monitoring the changes in session vars and only writing them back out if modified, ok glad that in reality i don't use session vars and just use the db, not in Linux at mo and i've never checked what permissions that are used in tmp. are we just talking httpd / apache or nginx, lighttpd, etc too?

zulooump, that's the sound of me suggesting "stay logged in", objnoob is the dog btw...

you're right, it's a salt, but i sometimes use the following interchangably ('cos i smoke too much crack ) iv's, nonce or salt i agree that stay logged in is an issue, but if you want go that way let's enforce excellent passwords too, yet usually our client clients will go else where if they have to log in each time, usability is an annoying from a security standpoint but generally a necessity IMHO

i was guessing that the session data had a timestamp which got updated on each start? the survival of the session (data) is yes an issue, not wanting to be flippant but it's not a security issue, however it is an annoyance / flaw to this concept...! i was thinking of this last week, considering if it was faster to use session files or just easier and faster to use the database (see your next point) yes i went this way last week, ignored sessions all together I can honestly say that my bank does have a stay logged in button, but there is a warning, then they have a default timeout thing (not sure if that doesn't work if check stay logged in because i've never checked it) yes, in my production sites it uses other user info, site salt, user salt and last login time, it is repeatable.

thankyou, but still not convinced using an extra cookie offers any extra protection but with your session name concept at least it doesn't have to set the session cookie info twice anymore

but an extra cookie with those details does the same thing anyway... it's just two keys instead of one, but if you have access to one you also have access to the other absolutely, however many examples do the same but store that as a session var instead i read this many years ago and have always added something somewhat random to hashes and store it along side user info, generally i just store last_login_time, so the hash changes everytime you log in http://www.amazon.co.uk/Applied-Cryptography-Protocols-Algorithms-Source/dp/0471117099/ref=sr_1_1? (a lot of the algorithm stuff may be out dated but the protocol analysis is still valid)

Why didn't I think of that??? I don't see it really being an issue because cookies are easy to see and send all along 'cos that's what happens anyway. (I do in my scraper anyway) i know there is an ini setting for it but never read the manual entry for it though, good to know! I like those types of sites!

hmmm, yes but since you can't query the expiry date it's pointless (it could be non-logged, logged in session or logged in longtime), you only know once the session is started by the existence of the session vars the remember me cookie can be copied too and its exposing your hashed private details (replay attack / man in the middles, rainbow tables, etc) the remember me cookie would require same lifetime (how long isn't really the issue here, but it'd be same for both) if they delete the cookies then the session vars would be orphaned yes, but if you use any form of session then the issue stands for both, but nice point

for all, this is worth a read if you're interested in security http://www.phpfreaks.com/tutorial/php-security

when someone visits the site a session cookie is set, then they log in. you can't tell if they have a session cookie or not until you start the session (hence this thread). also, without an additional cookie or starting the session you can't get any stored info because we don't know who it is how does an additional cookie provide more security? if someone can hijack one then they'll technically have the other too...? the tutorial on this site *must have been devshed or other (may check later, but here's phpfreaks tutorial http://www.phpfreaks.com/tutorial/sessions-and-cookies-adding-state-to-a-stateless-protocol ) stores the password hash in session vars (personally i see hash's of password n other static data as sensitive, if you ever went on the silk road you'd see the size of hash cracking gangs out there), also numerous commentators on here also swear by session cookies being better that standard cookies because the server does various checks such as ip, etc... (not seen evidence but...) you're right the server may have deleted the session cache if its expiry date was not set correspondingly too BTW the login / logout buttons are hypothetical in this case, i avoided db use for this isolated example so it could just be dropped in to test. (probably why i was shocked at GET use gives self a Gibbs slap then does D'nozzo confused look in mirror) at current in production i use both sessions and cookies, but on my smartphone games i don't even use cookies because well, they don't exist, i mention this because these aren't real time and communicate with php pages. this foray was inspired by this thread from last week where someone was discussing doing it without session cookies. http://forums.phpfreaks.com/topic/283245-are-sessions-redundant/

Anyway never mind the buzzcocks, many thanks for your input.

Hell yeah! see!! you store it! that's called "stay logged in" and its a year not indefinitely!show me a way using cookies which isn't susceptible to session hijacking? and if you'd be so kind show me these flaws its riddled with? all i ever really asked was if it was possible to get the expiry before starting the session since you set the params first, never asked you to write owt kid the code worked in the first place, just looking for someone who understood achieving it without resetting the session cookie, your example was retrograde whilst telling me it was better!!!

using $_GET is out of the question!!! (oops you are only doing that for the form, not my choice of handling web forms) i think you are missing the point about session lifetimes, something your code is still missing the stay logged in checkbox was purposely missed out for simplicity of the example code as i said the code i posted works fine, but i have to set the session cookie twice because i can't check before starting the session, even though to avoid extra cookie popups you have to set the session cookie lifetime before starting the session. in reality i'm just looking for a neater, more efficient and less intrusive way! in your code, you should add something semi random to the key hash, say time (in your case last login time say), as it is the key will be the same across all that users logins, so it'd only need to be cracked once!!! * in a production environment i have an install salt and a user specific salt, but if doing a hash i'd also add time in somewhere else all you have to do is check the keyspace of the max salt size, not very safe!

but what about after they close the browser and then reopen it? to do that youd need to set the expiry date to non zero, but if you set the expiry date non zero for all then even if not logged in and reopen browser then their session id persists (not the session vars because we invalidated them)

that code doesn't handle "stay logged in"

i don't alter the expiry date willy nilly, as is, it sets it to a future date if logged in and 0 if not logged in so that the session isn't carried over after the browser is closed i'm just trying to preset the session cookie rather than doing it after,,, because, if you don't click "accept all cookies from this site" then you are prompted to accept a cookie (every page request), but if you preset the cookie then you aren't prompted all the time

have an optionally stay logged in system and preset the session cookie params (either by setcookie or session_set_cookie_params()) and i'm after doing it all before session start

ok I understand the setcookie overwrite, wasn't thinking but when i test for the cookie existence on reopening the browser i'm logged out, see commented out bit in the else. however using setcookie() does stop me having to regen the session id <?php error_reporting(E_ALL); ini_set('display_errors',E_ALL); ini_set('session.use_only_cookies', 1); $cookieParams = session_get_cookie_params(); $loggedin=true; if(isset($_GET['logout'])){ session_set_cookie_params(0, $cookieParams["path"], $cookieParams["domain"], false, true); session_start(); session_regenerate_id(true); session_unset(); //unset($_SESSION['myvar']); session_destroy(); header("Location: http://". $_SERVER['HTTP_HOST'].$_SERVER['PHP_SELF']); exit(); }elseif(isset($_GET['login'])){ session_set_cookie_params(time()+31536000, $cookieParams["path"], $cookieParams["domain"], false, true); session_start(); $_SESSION['myvar']="Logged in"; header("Location: http://". $_SERVER['HTTP_HOST'].$_SERVER['PHP_SELF']); exit(); }else{ /* if(isset($_COOKIE[session_name()])){ echo "here<br />"; session_set_cookie_params(time()+31536000, $cookieParams["path"], $cookieParams["domain"], false, true); }else{ echo "there<br />"; session_set_cookie_params($cookieParams["lifetime"], $cookieParams["path"], $cookieParams["domain"], false, true); } */ session_set_cookie_params(0, $cookieParams["path"], $cookieParams["domain"], false, true); session_start(); if(isset($_SESSION['myvar'])){ setcookie(session_name(), session_id(), time()+31536000 , $cookieParams["path"], $cookieParams["domain"], false, true); } } echo session_id()."<br />"; if(isset($_SESSION['myvar'])){ echo "myvar: ".$_SESSION['myvar']."<br />"; echo "<a href='?logout=true'>logout</a><br />"; }else{ echo "<a href='?login=true'>login</a><br />"; } ?> both ways in your example set the time to non zero, i also need to handle session only users thanks for all help

here's my latest version <?php error_reporting(E_ALL); ini_set('display_errors',E_ALL); ini_set('session.use_only_cookies', 1); $cookieParams = session_get_cookie_params(); $loggedin=true; if(isset($_GET['logout'])){ //session_set_cookie_params(-31536000, $cookieParams["path"], $cookieParams["domain"], false, true); session_set_cookie_params(0, $cookieParams["path"], $cookieParams["domain"], false, true); session_start(); //session_destroy(); session_regenerate_id(true); //setcookie(session_name(), '', time()-42000, '/'); session_unset(); //unset($_SESSION['myvar']); session_destroy(); header("Location: http://". $_SERVER['HTTP_HOST'].$_SERVER['PHP_SELF']); exit(); }elseif(isset($_GET['login'])){ session_set_cookie_params(time()+31536000, $cookieParams["path"], $cookieParams["domain"], false, true); session_start(); $_SESSION['myvar']="Logged in"; header("Location: http://". $_SERVER['HTTP_HOST'].$_SERVER['PHP_SELF']); exit(); }else{ $cookieParams = session_get_cookie_params(); echo "lifetime: ".$cookieParams["lifetime"]."<br />"; /* if($cookieParams["lifetime"]>0){ echo "lifetime: here<br />"; session_set_cookie_params(time()+31536000, $cookieParams["path"], $cookieParams["domain"], false, true); //if($cookieParams["lifetime"]<=0){ }else{ echo "lifetime: There<br />"; session_set_cookie_params(0, $cookieParams["path"], $cookieParams["domain"], false, true); } */ /* //echo "myvar222: ".$_SESSION['myvar']."<br />"; //if(isset($_COOKIE['PHPSESSID'])){ if(isset($_COOKIE[session_name()])){ echo "here<br />"; session_set_cookie_params(time()+31536000, $cookieParams["path"], $cookieParams["domain"], false, true); }else{ echo "there<br />"; session_set_cookie_params($cookieParams["lifetime"], $cookieParams["path"], $cookieParams["domain"], false, true); } */ session_set_cookie_params(0, $cookieParams["path"], $cookieParams["domain"], false, true); session_start(); if(isset($_SESSION['myvar'])){ //session_write_close(); session_set_cookie_params(time()+31536000, $cookieParams["path"], $cookieParams["domain"], false, true); //session_start(); session_regenerate_id(false); } } //session_regenerate_id(); echo session_id()."<br />"; if(isset($_SESSION['myvar'])){ echo "myvar: ".$_SESSION['myvar']."<br />"; echo "<a href='?logout=true'>logout</a><br />"; }else{ echo "<a href='?login=true'>login</a><br />"; } ?>

yeah but that uses an extra cookie! my way works without another cookie, but have to set the session twice so there is no way to get the expiration date or a session var before starting the session even though the session cookie params need to be set before starting the cookie?

ok, that work but need to do before start session because i want set different cookie time ddepending on existing value here my full code http://forums.phpfreaks.com/topic/283275-sessions/

you are accessing $db directly and its initialized as private, could make an accessor function to execute the query

you not show printing of stored expiry date! i need to know if session cookie was last set to 0 or a time in future, you see i already set time in example