Ritchie-T Posted April 23, 2008 Share Posted April 23, 2008 How secure is it to keep track of a users id in a session variable to keep them logged in from page to page? The id would be a number that refers to their row of information in a mysql database. Thanks, Ritchie Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted April 23, 2008 Share Posted April 23, 2008 Your method is about the best way. The session ID (a unique and hard to guess/create value) identifies the visitor for the current visit (that is not just using his username as that is fairly easy to guess and create a cookie with it in it.) The user id in the session identifies who that visitor is. The record in the database contains specifics about that person, is he logged in... The concern is session hijacking (someone getting the session id) and then connecting to your site and having access to the same information that the real visitor has. There are several things you can do to prevent this - Use a https connection. This will prevent anyone who is monitoring data packets from seeing the session id. Regenerate the session id on each page visit. If someone does get the session id, it will only be valid for a short time. Record the visitor's ip and compare it on each page access (an ip won't change during a single visit unless they loose their Internet connection and reconnect, in which case you can just tell them they need to re-login.) Record the user agent information and compare it on each page access (their browser won't ever change during one visit.) Quote Link to comment Share on other sites More sharing options...
GingerRobot Posted April 23, 2008 Share Posted April 23, 2008 Record the visitor's ip and compare it on each page access (an ip won't change during a single visit unless they loose their Internet connection and reconnect, in which case you can just tell them they need to re-login.) Unfortunately not true. Some people will have a slightly different IP for each request (e.g. AOL users) Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted April 23, 2008 Share Posted April 23, 2008 Prove it. Do you have a link to an AOL web page where that information is published. Quote Link to comment Share on other sites More sharing options...
GingerRobot Posted April 23, 2008 Share Posted April 23, 2008 Its quite well documented : It is not uncommon for an AOL user to get a different IP address for each page that they view http://www.outsidethecode.com/faq/aol_ip.aspx They change IP address every request sometimes. http://www.usenet-forums.com/php-general/358507-php-re-about-session-cookies.html AOL.COM is one of the big ISPs where their user's IP address address is constantly changing as they browse your site http://www.sitemeter.com/?a=help&area=compare Edit: Oh, and from AOL themselves: When a member requests multiple documents for multiple URLs, each request may come from a different proxy server Quote Link to comment Share on other sites More sharing options...
Ritchie-T Posted April 23, 2008 Author Share Posted April 23, 2008 Thanks for the replies guys. Just a few questions. How would somebody get the session id of another user if they are only kept in a session variable? And if they did how would they use it to their advantage? They can’t manually set their session id and browse the site can they? Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted April 23, 2008 Share Posted April 23, 2008 The session id is not kept in a session variable (unless you have code putting it in one.) The session id is passed back and forth between the browser and the server. Normally in a cookie, but optionally as a GET parameter on the end of the URL. The server sends the session id to the browser when the session is created (or the session id is regenerated) and the browser sends it to the server with each http/https request. Unless you put program logic in place to detect it, anyone that visits a page on your site with a session_start() and sends a session id that matches an existing session data file, will resume that specific session. Sending a header with a cookie with the name of the session and the session id as the value is easy. It is even easier sending this as a GET parameter on the end of the URL (when your site is using this method.) Quote Link to comment Share on other sites More sharing options...
Ritchie-T Posted April 24, 2008 Author Share Posted April 24, 2008 Thanks for the reply. I was very brief with my explanation. I have a mysql database with stores all the users and their information. The users are identified in the database with a unique id number. I was planning on keeping the users id number that refers to their row of information in a session variable so it can be read on each page if the user is logged in. I would then connect to the mysql database and use the number in the session variable to locate the user’s row of information in the database. This is the way that I have come up with for keeping users logged in when browsing the site. Since no log in information is held in the session variable then I figured it would be quite safe since the only users id number is being passed about. I was wondering if this would be as safe as I think it is. Is there any way for somebody to capture somebody else’s session variable? Would they be able to manually create their own session variable somehow with a number of their choice? Thanks again for all your help. Quote Link to comment Share on other sites More sharing options...
Daniel0 Posted April 24, 2008 Share Posted April 24, 2008 Yeah, they can pick a session ID for themselves. They are the ones responsible for sending it to you after all (well, indirectly at least... it'll be the browser which does it). If they don't send one then PHP will give them one. That's why you need a session ID with a high entropy so you cannot easily guess previous session IDs. For instance, if your session IDs are generated using integers which increase linearly, then if you see that you get session ID 468, then someone else would probably have 467 and then you could try that and see if you could fixate their session. If you however have a session ID which consists of say 32 alphanumeric characters which are randomly chosen, then it would be pretty difficult to guess what a previous valid session ID could've been. Can the attacker guess a valid session ID though, then he will essentially be logged in as the user to whom the session ID belongs. Normally you needn't worry about picking a good enough session ID as PHP will take care of that. Taking some of the precautions previously mentioned in this topic will increase the security. Always remember though, virtually every information you know about the user is what the user told you itself. A general rule for security is that you shouldn't trust anything whatsoever. Filter and check data when it enters your system (e.g. a form submission) and when it leaves your system (e.g. text outputted to the browser). That should take care of the majority of security issues. You can't do anything about your users' carelessness other than inform them of good security practice. Typically humans are the most vulnerable entity in a secured system. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.