arianhojat Posted April 22, 2007 Share Posted April 22, 2007 Hello all, had a few session questions based no reading the manual i understand some things but still a bit unclear: As I understand it, the only thing stored on client computer is the session ID unique to the visitor (specifically to the browser they are using). It is stored in a cookie or possibly could propagate through url if they have cookies turned off. But that is only info stored client-side. All other info stored in session is stored on server side (the session variables). 1. so when is SSL ever needed on server for secure signin/secure sessions? Like when they sign in, is the username and password sent unencrypted to server 1st so everyone on network can see that info if they have a packet sniffer? If this is true, then: I guess I NEED ssl for any sort of signin system since email info is private, and password info could give another person access to users info on my site. 2. if they already signed into a session... a. Whenever they goto a 'sessioned' page in the website, is the sessionID sent unencrypted to server 1st???, b. and then session variables sent back to browser unencrypted? If this is true, then: So theoretically someone can sniff sessionID over network, put it in a cookie on their filesystem, and login into the website with it (within the period that the session lasts on server which could be when user closes browser or longer if session.cookie_lifetime set longer than 0)? Quote Link to comment https://forums.phpfreaks.com/topic/48189-sessions-and-security/ Share on other sites More sharing options...
the_oliver Posted April 22, 2007 Share Posted April 22, 2007 The point of the SSL certificat is to encrypt the data between the Clinet and Server. As such the session ID will not be sent encrypted. No SSL certificat = no encryption. Wheter or not you need to send it encrypted is up to you. If your running something where security is not so important, such as a forum, then it may not be nessesery. Quote Link to comment https://forums.phpfreaks.com/topic/48189-sessions-and-security/#findComment-235566 Share on other sites More sharing options...
arianhojat Posted April 22, 2007 Author Share Posted April 22, 2007 So basically all forum websites that use my email as signin, and they arent using SSL... my email is available for everyone to see? seems like logically answer to that question based on your answer is yes since sessionID isnt encrypted as well then all info isnt. Quote Link to comment https://forums.phpfreaks.com/topic/48189-sessions-and-security/#findComment-235572 Share on other sites More sharing options...
arianhojat Posted April 22, 2007 Author Share Posted April 22, 2007 btw if i have following php.ini settings session.use_only_cookies = 1 session.cookie_lifetime = 0 (so when user closes browser the session ends) how can u also make it, if the users browser is open past a certain lifetime, the session is closed too. I want someone to be able to end session by closing browser, but also if browser kept open on a public computer, the session ends after pretend 30 minutes. so i basically want a session.cookie_lifetime but need it to be set to 0 at same time , so when user closes browser, session ends. anyway this possible Quote Link to comment https://forums.phpfreaks.com/topic/48189-sessions-and-security/#findComment-235588 Share on other sites More sharing options...
Daniel0 Posted April 22, 2007 Share Posted April 22, 2007 Store some information in the database about the session. Each time the user loads a page on your site you'll then update a timestamp. Just check on each request if the session is still valid. Quote Link to comment https://forums.phpfreaks.com/topic/48189-sessions-and-security/#findComment-235599 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.