views:

172

answers:

4

I know about all the issues with session fixation and hijacking. My question is really basic: I want to create an authentication system with PHP. For that, after the login, I would just store the user id in the session.

But: I've seen some people do weird things like generating a GUID for each user and session and storing that instead of just the user id in the session. Why?

The content of a session cannot be obtained by a client - or can it?

+2  A: 

You're correct. The client just sees a randomly generated session id token. There are ways this token can be misused (hijacked, etc.), but having a GUID on top adds nothing. In contrast, options like session.cookie_httponly (JavaScript can't see session cookie) session.cookie_secure (Cookie can only be transmitted over HTTPS) protect against certain attack scenarios.

Matthew Flaschen
+1  A: 

Sometimes, for added security, developers may assign a long string to the user's session in order to make hijacking even more difficult. By setting a cookie with this new string at the time of session creation, the app can check for the correct string on subsequent requests to better ensure it is the person who actually logged in.

It's just adding one more thing a wannabe hijacker would have to guess. However, it can be a false sense of security as it does little to protect the session if sniffing is involved because the new cookie is sent right along with the php session cookie. Also, session id's are very hard to guess as it is (as I'm sure you know, just don't place it in the url but, rather, in the cookie).

Session info is stored on the harddrive so it's not obtainable by clients without application intervention.

webbiedave
I don't understand how this should improve security: If a hacker gets his hands on someone else's HTTP headers, he'll just copy the whole Cookie header - and there he goes. How should a hacker get a session id without sniffing?
eWolf
That's why I said "it does little to protect the session if sniffing is involved because the new cookie is sent right along with the php session cookie." I edited to add "false sense of security" to drive the point home.
webbiedave
@eWolf You can get a session id without sniffing in stupid scenarios where the session is sent via GET and not via POST: when the user copies the URL and pastes it somewhere, he has given away his session id. Anyway, this is irrelevant.
Lo'oris
To add to eWolf, they can also try to brute force it.
webbiedave
+2  A: 

I've never seen GUIDs being used for sessions, but there are a couple of additional methods I have seen that do add a little more security.

  • Storing the user's IP - if you need to force a session change based on locations (sometimes geoIP stuff will do this)
  • Storing the user's HTTP_USER_AGENT header string. Can provide a bit of security against hijacking if the hijacker happens to be using a different browser.

There's a great article on session hijacking countermeasures on Wikipedia, actually.

That being said, I would imagine that anyone storing a GUID as part of a session to use in session security might be failing to see a better solution (such as session regeneration). I can see other uses for a GUID to be stored (maybe it's part of a random generator for a game), but not for use with session security.

zombat
Just to add, there are folks with unfortunate ISP's that change their ip address often (sometimes every couple of minutes!) so wrapping the ip in the session can cause too many headaches.
webbiedave
@webbiedave - yeah, I don't use it unless there's a really good reason. There's lots of reasons to not use it unless you're willing to accept the issues that come along with it.
zombat
HTTP_USER_AGENT provides zero protection against any attack because it is a user controlled variable.
Rook
@The Rook - Obviously it's a user controlled variable, and you would be mistaken to rely on it. However, you might use it as an indicator that something has changed between the last time you saw the session id and this time, and force a session regeneration. The session id is also a user controlled variable, but I don't see you mentioning that. Session security is layers of assumptions, and you can't have true security without encrypting the entire transmission.
zombat
Putting the obvious aside. I think it is detrimental to recommend that people implement secuirty systems that are trivial to bypass. Perhaps you don't realize how easy it is to fool such a system https://addons.mozilla.org/en-US/firefox/addon/59 . Also keep in mind that if the attacker is using xss or sniffing the line they will be able to see the user-agent in the http header.
Rook
Checking the user agent is a form of http://en.wikipedia.org/wiki/Security_through_obscurity and I'll leave the debate at that.
Rook
@The Rook - if the attacker is sniffing or using XSS, then they've already got your session id, and everything else is moot. If you're going to make that assumption, then it's useless to talk about any other measure than SSL.
zombat
@zombat I'm glad to hear you say that, now how about modifying your post? Or can you think of any case where an attacker will have the session id and not the user-agent?
Rook
+1  A: 

The short answer is that $_SESSION is safe and you do not need to worry about its contents being leaked to a user or attacker.

The content of the session is not normally be accessible to the user. You should be able to store the user's primary key and you'll be fine. There are cases where the session can be leaked, on a normal linux system the session folder is in /tmp, however this could be changed in your php.ini to the web root (/var/www/tmp) and then could be accessible. The only other way is if the user is able to get access to the $_SESSION super global by hijacking a call to eval() or by the variable being printed normally.

If you are running on a shared host and using an old version of PHP and/or your server is misconfigured it might be possible for another user on this system to read or even modify a session file stored in /tmp/. I don't know of a single application that takes this attack into consideration. If this is a problem you can store the information in a session table in the database.

Rook