tags:

views:

172

answers:

4
+3  Q: 

PHP - What to store in a session?

I know about all the issues with session fixation and hijacking. My question is really basic: I want to create an authentication system with PHP. For that, after the login, I would just store the user id in the session.

But: I've seen some people do weird things like generating a GUID for each user and session and storing that instead of just the user id in the session. Why?

The content of a session cannot be obtained by a client - or can it?

+2  A: 

You're correct. The client just sees a randomly generated session id token. There are ways this token can be misused (hijacked, etc.), but having a GUID on top adds nothing. In contrast, options like session.cookie_httponly (JavaScript can't see session cookie) session.cookie_secure (Cookie can only be transmitted over HTTPS) protect against certain attack scenarios.

Matthew Flaschen  2010-04-26 19:48:23
+1  A: 

Sometimes, for added security, developers may assign a long string to the user's session in order to make hijacking even more difficult. By setting a cookie with this new string at the time of session creation, the app can check for the correct string on subsequent requests to better ensure it is the person who actually logged in.

It's just adding one more thing a wannabe hijacker would have to guess. However, it can be a false sense of security as it does little to protect the session if sniffing is involved because the new cookie is sent right along with the php session cookie. Also, session id's are very hard to guess as it is (as I'm sure you know, just don't place it in the url but, rather, in the cookie).

Session info is stored on the harddrive so it's not obtainable by clients without application intervention.

webbiedave  2010-04-26 19:54:49
I don't understand how this should improve security: If a hacker gets his hands on someone else's HTTP headers, he'll just copy the whole Cookie header - and there he goes. How should a hacker get a session id without sniffing?
eWolf  2010-04-26 19:57:44
That's why I said "it does little to protect the session if sniffing is involved because the new cookie is sent right along with the php session cookie." I edited to add "false sense of security" to drive the point home.
webbiedave  2010-04-26 19:58:58
@eWolf You can get a session id without sniffing in stupid scenarios where the session is sent via GET and not via POST: when the user copies the URL and pastes it somewhere, he has given away his session id. Anyway, this is irrelevant.
Lo'oris  2010-04-26 20:07:02
To add to eWolf, they can also try to brute force it.
webbiedave  2010-04-26 20:30:33
+2  A: 

I've never seen GUIDs being used for sessions, but there are a couple of additional methods I have seen that do add a little more security.

  • Storing the user's IP - if you need to force a session change based on locations (sometimes geoIP stuff will do this)
  • Storing the user's HTTP_USER_AGENT header string. Can provide a bit of security against hijacking if the hijacker happens to be using a different browser.

There's a great article on session hijacking countermeasures on Wikipedia, actually.

That being said, I would imagine that anyone storing a GUID as part of a session to use in session security might be failing to see a better solution (such as session regeneration). I can see other uses for a GUID to be stored (maybe it's part of a random generator for a game), but not for use with session security.

zombat  2010-04-26 20:01:46
Just to add, there are folks with unfortunate ISP's that change their ip address often (sometimes every couple of minutes!) so wrapping the ip in the session can cause too many headaches.
webbiedave  2010-04-26 20:06:09
@webbiedave - yeah, I don't use it unless there's a really good reason. There's lots of reasons to not use it unless you're willing to accept the issues that come along with it.
zombat  2010-04-26 20:11:17
HTTP_USER_AGENT provides zero protection against any attack because it is a user controlled variable.
Rook  2010-04-26 20:25:54
@The Rook - Obviously it's a user controlled variable, and you would be mistaken to rely on it. However, you might use it as an indicator that something has changed between the last time you saw the session id and this time, and force a session regeneration. The session id is also a user controlled variable, but I don't see you mentioning that. Session security is layers of assumptions, and you can't have true security without encrypting the entire transmission.
zombat  2010-04-26 20:33:58
Putting the obvious aside. I think it is detrimental to recommend that people implement secuirty systems that are trivial to bypass. Perhaps you don't realize how easy it is to fool such a system https://addons.mozilla.org/en-US/firefox/addon/59 . Also keep in mind that if the attacker is using xss or sniffing the line they will be able to see the user-agent in the http header.
Rook  2010-04-26 20:43:18
Checking the user agent is a form of http://en.wikipedia.org/wiki/Security_through_obscurity and I'll leave the debate at that.
Rook  2010-04-26 21:02:10
@The Rook - if the attacker is sniffing or using XSS, then they've already got your session id, and everything else is moot. If you're going to make that assumption, then it's useless to talk about any other measure than SSL.
zombat  2010-04-26 21:43:21
@zombat I'm glad to hear you say that, now how about modifying your post? Or can you think of any case where an attacker will have the session id and not the user-agent?
Rook  2010-04-26 21:54:24
+1  A: 

The short answer is that $_SESSION is safe and you do not need to worry about its contents being leaked to a user or attacker.

The content of the session is not normally be accessible to the user. You should be able to store the user's primary key and you'll be fine. There are cases where the session can be leaked, on a normal linux system the session folder is in /tmp, however this could be changed in your php.ini to the web root (/var/www/tmp) and then could be accessible. The only other way is if the user is able to get access to the $_SESSION super global by hijacking a call to eval() or by the variable being printed normally.

If you are running on a shared host and using an old version of PHP and/or your server is misconfigured it might be possible for another user on this system to read or even modify a session file stored in /tmp/. I don't know of a single application that takes this attack into consideration. If this is a problem you can store the information in a session table in the database.

Rook  2010-04-26 20:32:08

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases