unset session id

[digitalecartoons]

Can someone help me with my mailform? It uses a Flash mailform, together with php and session id.

 

First things first: in the index.php page it starts by setting the session:

 

<?php
session_start();
$_SESSION["domino"] = true;
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
//rest of page showing flash movie

 

When inputed the flash form and clicking send the php script processes the data by first checking for the existence of this session id. If it's not ok, an error message returns.

 

If everything is ok and a session id is present, the session id itself is unset. I've been told that you should immediatelly unset a session id after using it for security reasons.

 

<?php 
session_start(); 
if(!isset($_SESSION["domino"])){ 
//error message 'forbidden access' 
exit; 
} else { 
session_destroy(); 
unset ($_SESSION["domino"]); 
//rest of script: processing the form input 
}

 

But now, when I input the flash form once more and click send, of course nothing happens because the session id is cleared. And I can't set the session id in Flash itself I think.

 

Is there any way to fix this?

[MadTechie]

I've been told that you should immediatelly unset a session id after using it for security reasons.

erm... don't unset it, if you need it!

unset on logout.. i guess it depends what its for!

 

[digitalecartoons]

It's to make sure that the form processing php is accessed from the flash website itself. So I've set the session id in the index.php. Then, when the flash form is filled in and 'send' is clicked, the form processing script 'sees' that it is accessed from index.php, which is ok. My code worked in my html form because after sending it unset the session id and upon return to the form it was set again. But in my flash page it of course doesn't change location.

 

So I thought, is unsetting it really necessary. Without it it works fine: upon resending a flash form from my site, the session id is still there (until the browser is closed).

 

But then someone told me: "always unset the session when finished using the data to keep it from being hijacked no need for the browser to remember the data when the user browses to a site other than yours"

 

What's true about that? Should I still keep on using unset/destroy?

[rajivgonsalves]

Use Php session unset function instead of destroying the session

 

more information available here

 

http://.php.net/session_unset

[MadTechie]

What exactly is the session used for ?

if you link to another site then its possible for them to get the session id, but you can improved the security simple example would be also store the IP and compare to the users IP..

 

it really depends what your using them for..

[digitalecartoons]

How would that solve my problem? When I use only unset:

 

<?php 
session_start(); 
if(!isset($_SESSION["domino"])){ 
//error message 'forbidden access' 
exit; 
} else { 
unset ($_SESSION["domino"]); 
//rest of script: processing the form input 
}

 

... the session id 'domino' is still cleared. And upon re-submitting the flash form, the php script still sees the 'domino' session id as non-existent, exiting the script

 

[digitalecartoons]

the session id is to make sure that no one can access the php script directly or through another website. Only the site containing the form and which sets the session id is allowed access to the php script. Otherwise an error message is echoed.

[MadTechie]

i don't think you really need to worry about hi-jacking then.. worst case.. someone hi-jacks a open session that allows use for x minutes  from another site.. when the session timesout.. its over..

 

i would probably go for a .htaccess protection to stop other using scraping mysite..

[digitalecartoons]

ok, but in theory... would it be really necessary for security reasons to unset the session id immediately after sending form output? Because someone said to me "always unset the session when finished using the data to keep it from being hijacked no need for the browser to remember the data when the user browses to a site other than yours"

 

or would it be perfectly safe without it?

[MadTechie]

Ok.. just say i login and that data is stored in a session.. than data needs to be secure.. to stop others getting the session id.. but we don't unset until the use logs out..

 

"always unset the session when finished using the data to keep it from being hijacked no need for the browser to remember the data when the user browses to a site other than yours"

Okay this isn't 100% correct.. the browser holds the session ID ONLY... this session will expire (defined by your server) if you want it more secure you could add a cookie with a random key and have the same random key in the session and then compare them..

 

theirs a ton of thing you could do but i really don't think its worth it..

[digitalecartoons]

Ok, sorry for not immediately understanding it , I'm relatively new to this. 

So you're saying that when I show the form, the session id is set and as long as it's not unset, others could theoraticlly get hold of it? So in that respect it would be better to unset it as quickly as possible, which now happens after I submit the form?

 

And deleting those unset/destroy lines would keep the session id set, vulnerable for others to get it?

 

Just in theory  Am I understanding you correctly so far?

[MadTechie]

personally i think its pointless unsetting them as you need them.. theirs not really a security risk... your just setting a check nothing more

[digitalecartoons]

From a site about session id's:

http://www.php-learn-it.com/php_sessions.html

 

"Remember sessions are destroyed automatically after user leaves your website or closes the browser, but if you wish to clear a session variable yourself, you can simple use the unset() function to clean the session variable"

 

This would mean I could easily delete those two unset/destroy lines? Because after leaving index.php or closing the browser it is destroyed anyway? So it doesn't make my php script less secure after all? Am I correct?

[MadTechie]

correct..

 

if you link to another site then its possible for them to get the session id,

 

but after you leave the site your session is gone..

[digitalecartoons]

But that would be ok I guess? I want them only to be able to access my php script if they are on my site showing the flash mailform. If they leave my site the session would indeed be gone. But what would be the downside of that then? "if you link to another site then its possible for them to get the session id, but after you leave the site your session is gone.." Isn't that what should happen I mean?

[MadTechie]

you don't need to leave a site to open another one, the new site will just be the active one.. if you close the browser then fine.... i really wouldn't worry your not opening a security hole

[digitalecartoons]

Just didn't understand what you mean by "if you link to another site then its possible for them to get the session id, but after you leave the site your session is gone.." and how that could be a problem. Or was I reading you incorrectly? 

 

I mean:

1. entering site: setting session

2. leaving site: unsetting session

3. closing site: unsetting session

4. having a link inside your site, clicking it to go to new site: unsetting session

 

That's what happening, right?

[digitalecartoons]

"Remember sessions are destroyed automatically after user leaves your website"

 

Tested it but it isn't true.

When I access the php script directly I get an error message

When I enter my site the session id is set

When I access the php script again I don't get an error message and can access it

When I leave my site to visit another and again access my php script, I still get access

 

...so this automatically destroying of the session after leaving the website isn't true?