cs.punk Posted February 6, 2009 Share Posted February 6, 2009 Well it took me quite some time to figure out how sessions work lol... untill i finally read how cookies work and then i understood. Anyway! this PHPsessionID it saves as a cookie on the web client, its a long code, but i could take that code, and go to another pc, and just paste it in a new cookie and i would have access to that user's profile or which ever. Is that not a bit un-secure? Or does it work in another way? I find all these ebooks i went through, all give so much bla bla explaini every detail but so little about actually doing something with all of it.... Rather through learning one thing about variables and then loops and ifs and then putting it together to see how its really works. they just discuss the first million pages all about variables.... anyone been in my sticky shoes? Quote Link to comment Share on other sites More sharing options...
premiso Posted February 6, 2009 Share Posted February 6, 2009 You are right about the session, if you can access X user's cookies, you can validate for that user. As far as security, as long as x user keeps their computer free of virus's it is pretty safe. But the only thing saved on the user's computer is that session id, which will either expire upon browser close, logout or even an inactivity time limit. Which are generally good practices to do if you are running a secured site (especially the inactivity time limit). But the same is with any cookie on your machine. You could do that for any site potentially. To avoid something like this, you could store information about their machine and validate that, but that is also foiled by false headers. Either way, the only account compromised is the user who got infected or was cookie-hijacked. So for your "admins" I would suggest to them that they clear cookies on browser close and or force a cookie policy that the cookie expire time is always x minutes unless they have been active. EDIT: Sorry for the rambling. In the end sessions are very secure. Like stated, to make it more secure you can validate the session by IP/OS/Browser etc to make sure it is the user's session. If either changed, simply make them re-login, which should not be a huge burden on the user. Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted February 6, 2009 Share Posted February 6, 2009 Which is why a cookie or a session should only identify a visitor. Any logged in status should be held within the user table on the server. This would mean that if someone (an administrator for example) logs out, that state is dependent only on the information in the user table, not the existence of or value in a cookie or a session and the only way to log in is to provide the username/password, and not by the mere possession of a copied cookie. Edit: A cookie that is set to expire when the browser closes can be copied and modified so that it lasts as long as you need. Quote Link to comment Share on other sites More sharing options...
printf Posted February 6, 2009 Share Posted February 6, 2009 As a web developer you can only secure your application. You cannot stop people from doing things that jeopardize their own personal information. PHP by default does not store sessions data in a cookie (it's only browser specific). A developer adds the usage of cookies that so they can allow their user / members a way of staying logged in without having to maybe re-login or maintain settings for that user. That is a (user only) security risk that a developer cannot protect against because it has nothing to do with application security. Quote Link to comment Share on other sites More sharing options...
cs.punk Posted February 7, 2009 Author Share Posted February 7, 2009 Thanks allot guys that really helped! But uhm when someone would login now for example lets say these PHPsessionid is xy1... then he logs out, then after a day he logs back is he given the same xy1 cookie or a new cr5 one?? And so if one tried to copy the xy1 it would be for a LOGGED out user? this is after he logs out and before he logs back in after a day. Sorry guys i write in a really awfull language lol Quote Link to comment Share on other sites More sharing options...
cs.punk Posted February 11, 2009 Author Share Posted February 11, 2009 :-[ :-[ :-[Thanks allot guys that really helped! But uhm when someone would login now for example lets say these PHPsessionid is xy1... then he logs out, then after a day he logs back is he given the same xy1 cookie or a new cr5 one?? And so if one tried to copy the xy1 it would be for a LOGGED out user? this is after he logs out and before he logs back in after a day. Sorry guys i write in a really awfull language lol Ok I'll try to rewrite what I said in a more 'readable' manner'. Somone opens a index.php which has session_start( ); in the begining of the page. PHP now assisigns his PHPsessionID as r8s4a6sadsadsa8asd4sad8a He now logs into the site (in which ever way). He closes his browser and opens it again. Now when logs back in does he get the same 'r8s4a6sadsadsa8asd4sad8a' or a new one? The answer would be a new one, am I correct? Now if I were to go to another computer and make my own cookie with 'r8s4a6sadsadsa8asd4sad8a' as the ID and go on to the site. Will I then be logged in as him? The answer would be yes am I correct? :-[ Quote Link to comment Share on other sites More sharing options...
premiso Posted February 11, 2009 Share Posted February 11, 2009 The answer would be a new one, am I correct? Correct. As far as going to another computer and making a cookie, it may or may not work. It depends on the interval your garbage collector is ran, cause that clears out the sessions. Give it a try and see, I would be interesting if it would work. What you can, alternatively do, is set sessions to timeout at x time, in php and via a database. So if the user inactivity has reached x minutes and they are trying that sessionhash it would return that they need to re-login cause they are not valid. Another way is, which corresponds with the DB of the session hash, is make it so that each login you store that hash in the DB, if the hash does not match the one in the DB, then they are not valid, so if someone copied this cookie before he logged out, then he logged out/closed the browser, and logged back in, the old hash is no longer valid. But the chances of someone grabbing that cookie with that sessionid and re-creating the cookie is slim, unless the user has spyware/trojan. And if so, this only effects their account and they should learn to install software to prevent/remove that kind of stuff. Quote Link to comment Share on other sites More sharing options...
cs.punk Posted February 12, 2009 Author Share Posted February 12, 2009 Thank you so much . Though hopefully my last 2 question about sessions... If for example a user is logged in with sessions and has his username saved into a session varible (array) $sessions['username']. Will this varible be available to someone else? Or is it only available to his specific 'sessionID' of '786ddsah46sadh38d23h0a76'? ---------------------- Second quesiton, if one made a form with a textfield asking for a persons name, this will then be submitted via $_POST['name'] to process_form.php... If another person were to aswell visit the same page and type his name too. There is 2 values for $_POST['name']... What does PHP(uhm program?) do then? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.