Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 8 of 8
  1. #1
    Regular Coder
    Join Date
    Feb 2004
    Posts
    145
    Thanks
    0
    Thanked 0 Times in 0 Posts

    session security

    What is the most secure way to use sessions? Currently when a user logs in a save a session variable ofthe username and use this in every subsequent page. This way though, anyone would be able to type the url and append the username to the url to gain access without logging in. I presume it is better to use session ID's somehow, itsjust that im not sure of the best way to do it. Any opinions would be appreciated

  • #2
    Az`
    Az` is offline
    New Coder
    Join Date
    Mar 2004
    Posts
    13
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Well, obviously the best way to do sessions is with session ID's. Although, it does depend on your server setup: having register_globals turned on means you'll have to use session_register(). Take a look at: http://uk.php.net/manual/en/function.session-start.php

    Remember to put session_start() before ANY output


    Edit: If you want to keep it your way, however, you could always append an md5 hash of their password onto the URL (using md5($password)).
    Last edited by Az`; 03-22-2004 at 02:06 PM.

  • #3
    Regular Coder
    Join Date
    Feb 2004
    Posts
    145
    Thanks
    0
    Thanked 0 Times in 0 Posts
    How about passing the session ID in the URL ASWELL as writing it to a session table in the database, then on each page check whether the session id passed to the page matches that saved in the database? Is that along hte lines of being more secure or have I got the wrong end of the stick?

  • #4
    Az`
    Az` is offline
    New Coder
    Join Date
    Mar 2004
    Posts
    13
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Well, if you are using session ID's then you don't need to append anything BUT it through the URLs.

    It does tend to depend in your PHP setup - Such as session.use_trans_sid to (I think) automatically append the SID to urls.

    It's most likely easiest to use cookies to keep sessions going.

  • #5
    Regular Coder
    Join Date
    Feb 2004
    Posts
    145
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Ok, but I had that idea because each page needs to know which userr is logged in. I dont really want to use cookies in case the user hasnt got them enabled. Would my previous suggestion (assuming the setup for session id's is ok) work? Would it be seen as secure?

  • #6
    Senior Coder Nightfire's Avatar
    Join Date
    Jun 2002
    Posts
    4,265
    Thanks
    6
    Thanked 48 Times in 48 Posts
    Arghhhh. Don't use session_register. Just use the super global $_SESSION. Whether the session is passed through the url or not depends on whether cookies are enabled. If cookies aren't, then they get sent through the url, if they are accepted, then they're passed 'transparently'

    To check if a user's logged in (the very basic way)
    PHP Code:
    <?php
    session_start
    ();
    if(isset(
    $_SESSION['name'])){
      echo 
    'logged in';
    }else{
      
    //show login form here
    }
    ?>
    Last edited by Nightfire; 03-22-2004 at 03:21 PM.

  • #7
    raf
    raf is offline
    Master Coder
    Join Date
    Jul 2002
    Posts
    6,589
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Euhhh. What a strange discussion.

    When a client requests his first page, the webserver will check if this client has an active session. Either because the SID is in the querystring, or there is a sessioncookies set.
    On the first page, the parser will automatically add the SID to each link since it doesn't knowif the client accepts cookies.

    If the client accpes cookies, the SID is removed from the querystring and the sessioncookie (that only contains an encoded sessionID is used). If cookies are not accepted, the SID is dragged along by the querystring.

    This is all done automatically.

    I don't quite understand this
    What is the most secure way to use sessions? Currently when a user logs in a save a session variable ofthe username and use this in every subsequent page. This way though, anyone would be able to type the url and append the username to the url to gain access without logging in. I presume it is better to use session ID's somehow, itsjust that im not sure of the best way to do it.
    Type the url and add the username? what has this got to do with sessions?

    After you validated the login, you just set a flag --> set some value in a sessionvariable. like

    session_start();
    $_SESSION['loggedin']='yes';

    and then on top of each page, you do a

    session_start();
    if (!$_SESSION['loggedin']) or ($_SESSION['loggedin']) !='yes')){
    die ('not logged in');
    }

    Wether the sessionID is pulled from the querystring or cookie is not your concern. It depends mainly on the users cookie settings.

    Users that use cookies are safer because that is more dificult to steal. When it is appended to the quertystring, it can be read + it is also appended to external links ... But you can not force the sessions to be cookie-based, unless you deny acces to users without cookiesupport.

    The safest way is to also store the IP (for users with a stable IP --> not like AOL) + to combine it with a newly generated sessionID for each request ( http://www.php.net/manual/en/functio...enerate-id.php ) So with each request, you update your sesiontable. Stealing a session would only work if the hacker can request his first page before the user did.

    <edit>posts crossed</edit>
    Posting guidelines I use to see if I will spend time to answer your question : http://www.catb.org/~esr/faqs/smart-questions.html

  • #8
    Regular Coder
    Join Date
    Feb 2004
    Posts
    145
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Right, ok - I think I was confusing myself with what I wrote, never mind you guys!!

    At the moment if a login is successful I save the username as a session. On every subsequent page I check the value of username. If there is one, the useris logged in. All the session stuff I have at the moment works fine, I was just wondering if the way I described is the best way. I have read things about session management using session id's and a db table but never really understood the point. Sorry if I confused anyone!!


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •