ajoo Posted October 24, 2013 Share Posted October 24, 2013 Hi guys !! If ever a guys was confused, I am today, having read sessions and security and realizing nothing is secure with sessions. There is no such thing as absolute security in sessions and login scripts. So today I read about about the common types of attacks - especially session fixing. This is what I could make ( I think I must have understood just about 15% of it ) out and I have some questions accordingly which I'll be glad to have sorted by the Gurus here !! 1. Sessions fixation involves there being a Session_ID stored either as cookie, sent as a URL or as a hidden field. The cookie being the most secure yet prone to maximum tampering. ( ironic - that's what the article said). Not withstanding the other hazards, I would like to question what if i designed a login session using only sessions and not involving any cookies or URL or hidden fields, how secure would that be against session fixation? I hope there's nothing stupid about that statement. I just want to know if that prevents session fixation. I think that's all I want to know for now and will come out with other questions as and when I proceed on this issue and read more. Thanks very much. Quote Link to comment Share on other sites More sharing options...
trq Posted October 24, 2013 Share Posted October 24, 2013 Sessions rely on either cookies (most commonly), or parameters passed along with each request. How else do you propose you identify a particular client? Your question is redundant. Quote Link to comment Share on other sites More sharing options...
ajoo Posted October 24, 2013 Author Share Posted October 24, 2013 Hi! WelI I identify the client through a login ID & password, and for the duration that the client is logged in I have his Session_ID stored in a session's variable. The session ID is also stored in a database upon each login . The session_ID is destroyed either when the client logs out or if the session is inactive for a certain length of time. I am relatively new to sessions so please bear with me if I ask something stupid. But yes i really wanna figure all this out. Quote Link to comment Share on other sites More sharing options...
Ch0cu3r Posted October 24, 2013 Share Posted October 24, 2013 (edited) The session data is stored on the server. The session_id needs to be given to both the client and the server on each page request. The server will then fetch the session data that belongs to that session id. If you don't pass the session id from the client to the server then you wont be able to identify the user! Edited October 24, 2013 by Ch0cu3r Quote Link to comment Share on other sites More sharing options...
ajoo Posted October 24, 2013 Author Share Posted October 24, 2013 Ok so i'ld like to ask if a user has logged in with his username and password and the server sets a session variable in the database & on every page request on the site, this session variable is checked to see if its still set & a request for and the login status is also stored and checked, where and why is the need for a cookie? each user has his or her own session ID. Would it goof up if more than one person is logged in ? But then all variables are again uniquely identifiable for each user since session ID's are unique for each. Quote Link to comment Share on other sites More sharing options...
kicken Posted October 24, 2013 Share Posted October 24, 2013 where and why is the need for a cookie? each user has his or her own session ID. Because you need some way for the client to report back what their unique session ID is. You do this either via a cookie (best method) or by appending the session ID as a URL parameter/hidden form input. HTTP is stateless. There is no way at all for you to identify individual clients without passing some kind of unique identifier between the server and the client. This need to pass some identifying information around is exactly what cookies were designed for. Quote Link to comment Share on other sites More sharing options...
mentalist Posted October 24, 2013 Share Posted October 24, 2013 A slight add to the thoughts... I also store various other bits of information such as ip, browser id (hash), proxy use, etc. I know it can all be spoofed too, but it's extra levels to meet! Quote Link to comment Share on other sites More sharing options...
ajoo Posted October 26, 2013 Author Share Posted October 26, 2013 Hi all ! So i read more about issues with sessions and cookies and my god how many times have i read them now ! In fact I am coming back to this one after sometime now but yes I read session & cookies and all and yet I am still not 100% clear. Still better though. The gurus were right as they always are. Sessions rely on cookies - trq I wish Sir, that you had told me something more about the PHPSESSID variable that automatically stores a session ID cookie on the client machine. So until I got that piece of information I was quite confused. So while I was not EXPLICITLY setting a cookie on the client side, its been done automatically by the sessions mechanism. AND That's the reason why I thought i did not need to use a cookie ( or any other form of data passing with the client ) because i was not doing so explicitly myself with a setcookie() command, while all the time using one set by the sessions. If there is still something that I have missed I would be glad if the Gurus here would fill that for me. If not, then I have some more questions :- 1. Is this cookie, set automatically via PHPSESSID, good for uniquely identifying different users or would I need to create a specific cookie again for each user identification? I mean if more than one client is exploring the website then hopefully the sessions would not confuse one for the other and mix up their data. 2. Is this cookie mechanism as safe as another that I have seen in some tutorials where a session cookie is hashed and stored along with a user cookie similarly hashed. These are then rehashed on the server and compared to values stored on a database. When I say as safe i mean against attack of session hijack or session fixation. What are the security implications with these two types of cookies. Is one better than the other? Anything else that I may be unaware of ! 3. Could you please propose some safeguards against these threats preferably with some code. 4. I came across session_set_cookie_params command and it said that this should be used before session_start. I just wanna know if someone has set a cookie and already set the time parameter to say 1 week (7*24*60*60) then why should this be invoked on each page before the session_start() ??. In fact if the parameters were set in say the set cookie command, then why use this command at all anywhere in the program? hmmm Am i asking something stupid here ? Thanks ! Quote Link to comment Share on other sites More sharing options...
Ch0cu3r Posted October 26, 2013 Share Posted October 26, 2013 1. Is this cookie, set automatically via PHPSESSID, good for uniquely identifying different users or would I need to create a specific cookie again for each user identification? I mean if more than one client is exploring the website then hopefully the sessions would not confuse one for the other and mix up their data. yes this will work with multiple users accessing the site at the same time. This very forum uses php sessions. The name of the cookie can be changed, PHPSESSID is just the default name. If wish to rename the cookie name to something else then call session_name() before you start the session. 4. I came across session_set_cookie_params command and it said that this should be used before session_start. I just wanna know if someone has set a cookie and already set the time parameter to say 1 week (7*24*60*60) then why should this be invoked on each page before the session_start() ??. In fact if the parameters were set in say the set cookie command, then why use this command at all anywhere in the program? hmmm Am i asking something stupid here ? session_start() sets the necessary cookie headers each time the function is called. If you want to override the default cookie params, then you need to call session_set_cookie_params() before the session has started. Quote Link to comment Share on other sites More sharing options...
vinny42 Posted October 26, 2013 Share Posted October 26, 2013 2:Hijacking is dome by stealing the sessionid. The only think you can do to prevent that is look at the IP, which cannot be spoofed. The problem with the IP is that a proxy can use the same IP for several clients and clients using a phone or tablet can change IP's legally while moving around, so they would have to logon again every once in a while. 3. Use SSL to make the connection unsniffable, and use session_regenerate_id() (http://php.net/manual/en/function.session-regenerate-id.php) to make the sniffed sessionid useless at the next pageview. Quote Link to comment Share on other sites More sharing options...
ajoo Posted October 26, 2013 Author Share Posted October 26, 2013 Thanks Ch0cu3r for the confirmation of my thoughts. You have helped me render some form to the formless HTML by making things a bit clear about sessions and cookies. I really wish you can shed some more detail on the security aspects that i have asked in the last message. And additionally as to your remark about changing PHPSESSID name to something else ,would that be of any particular use or in any way enhance the security ? Thanks loads all ! Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.