Am I right about PHP sessions?

**auriaks** · 06-21-2010, 08:34 PM

Hi all, again

I am working with new SMALL project and I want to make some thing clear:
Login page:

PHP Code:


$password = md5($_POST['password']);

$nick = $_POST['nick'];

    

$password = mysql_real_escape_string($password);

$nick = mysql_real_escape_string($nick);

$nick = strtolower($nick);



if(info is INcorrect) {ERROR} else {

session_start();

$_SESSION['nick'] = $nick;

$_SESSION['password'] = $password;

$_SESSION['authID'] = 'your_special_ID';

(Redirect to safe_page.php)

}

What I want? Protection level

1. I think variables are safe... IS IT?
password is md5;
nick, pass = mysql_real_escape_string
nick = strtolower.

2. I used session_start(); Do I need something more to start session?
3. $_SESSION variables which I will use. Are thay correct?
4. IS all of the login page script secured?

OK, now - other pages, which I will keep in safe:
safe_page.php

PHP Code:


if(isset($_SESSION['authID'])) {

include $_SERVER['DOCUMENT_ROOT'] . '../db_conn.php';

$dates = date("Y-m-d"); 

$times = date("H:i:s");

$upnick = $_SESSION['nick'];

(access granted) 

} else {

    header("Location: ../login.php"); // Not allowed

}

1. Is this session right?
2.How much is it safe?

What can you offer to increase my security level?

I want to THANK YOU ALREADY, because there Are a lot of questions

Also, all suggestions are welcome

**djr33** · 06-22-2010, 12:18 AM

Your questions are somewhat confusing, and parts of your script are not real PHP.
if(info is INcorrect) {ERROR} else {
Assuming that those parts are correct, then yes, it looks like your script will work.

However, one problem is that you should do session_start() at the beginning of any page that will operate independently, and NOT within an if statement. It's not a problem to start a session if they don't log in-- just don't store their login info yet. Then you can check isset($_SESSION[...]) on other pages.

**traq** · 06-22-2010, 01:29 AM

Here's a good, easy to follow (as easy as possible, anyway) article about sessions and session security.

How "safe" a session is depends largely on how secure you actually need your session to be. Are you dealing with records of people's favorite colors? Their name and address? Their bank information? Obviously, some things need more security than others.

The main thing that needs to be address in your (vague) code example is how you verify your user throughout the session. It's great that you save the user's nickname, password, and authID in the session, but if you later use that info without double-checking it, there's no point.

Specifically: The first thing you need to do on every "secure" page is verify and re-validate the user's info (cookies are a common and fairly secure way to do this).

Beyond that, you'd have to finish writing your script before we could tell you how effective it was.

**auriaks** · 06-22-2010, 09:15 AM

Originally Posted by traq

Here's a good, easy to follow (as easy as possible, anyway) article about sessions and session security.

How "safe" a session is depends largely on how secure you actually need your session to be. Are you dealing with records of people's favorite colors? Their name and address? Their bank information? Obviously, some things need more security than others.

The main thing that needs to be address in your (vague) code example is how you verify your user throughout the session. It's great that you save the user's nickname, password, and authID in the session, but if you later use that info without double-checking it, there's no point.

Specifically: The first thing you need to do on every "secure" page is verify and re-validate the user's info (cookies are a common and fairly secure way to do this).

Beyond that, you'd have to finish writing your script before we could tell you how effective it was.

You say that I need to check that user info is right in all pages?
what's the point?

djr33, You mentioned that I should always create a session, but check the isset($_SESSION[...])... IS there a difference between making session, checking $_SESSION variable and Not creating the session?

**djr33** · 06-22-2010, 10:12 AM

In all pages that have user authentication. If it's another unrelated page without any secure items, you do not need sessions or to verify anything.

session_start() begins a session. That means that PHP is operating sessions and they work. Then after that, you can USE $_SESSION to do whatever you'd like. Adding session_start() to the top of any page is fine. It doesn't "do" anything except start the setup for using sessions...

**auriaks** · 06-22-2010, 10:27 AM

OK

Btw, I have just finished reading "sessions and session security"...

How to Correctly use Fingerprint and HTTP_USER_AGENT? Could you link me to a tutor of these?

Also, I always was skeptical about cookies, because they are saved in the CPU and can be revealed, and they need browsers cookie enabling.

Do I really need use them to provide higher sessions secure?

Thanks for your time, djr33

**djr33** · 06-22-2010, 10:33 AM

1. User agent: store $_SERVER['HTTP_USER_AGENT'] in the session to check that the user is still the same person and the session has not been hijacked. (If someone finds/steals the session id, they could use someone else's session.)

2. The important part is that you check the session every time you use it. Cookies are how the session is stored on the user's computer: usually just an id. The session data (in $_SESSION) is hidden on the server and the user cannot see it. So use the cookies just as an extra thing to verify the user. It's not that you use both sessions and cookies for all the data.

**auriaks** · 06-22-2010, 10:39 AM

So, on every page top must be?:

PHP Code:


<?php

start_session();

$_SESSION['authID'] = 'your_special_ID';



$_SESSION['HTTP_USER_AGENT'] = md5($_SERVER['HTTP_USER_AGENT']);



$fingerprint = 'SHIFLETT' . $_SERVER['HTTP_USER_AGENT'];

$_SESSION['fingerprint'] = md5($fingerprint . session_id()

?>

What I can change in this script to make it more authentic?

**traq** · 06-22-2010, 02:29 PM

The idea behind checking the user-agent is that it's a string that is usually consistent on a single browser, but often different between different browsers. Say an attacker stole your user's session ID - they're probably not using the exact same browser and version, meaning they'd have to fake that too.

I wouldn't be too worried about advanced stuff like that unless you've got some info that is seriously worth protecting - and if you did, you might want to hire someone who has experience doing it instead of trying to figure it out yourself.

To answer your question, the reason you check the user's credentials on every secure page is to make sure you're still dealing with the right person. Otherwise, someone might have stolen the session, and you wouldn't have any clue. Likewise, by not checking on subsequent pages, you're just "assuming" that the user got to that page by loging in. What if they typed the URL directly and bypassed the login page? Having the user's session info doesn't do any good at all unless you check against it.

The number one internet security lesson is this:

never trust user input.

They might be lying. They might be mistaken. Always assume that something is wrong.

**auriaks** · 06-22-2010, 07:48 PM

One more thing then, because that means that I don't know what session really is...
When I am starting session it automatically creates session_id ???

How to check that this id is the same on other "safe" page?

Thread: Am I right about PHP sessions?

Thread Tools

Search Thread

Am I right about PHP sessions?

Bookmarks

Bookmarks

Posting Permissions