Register

If this is your first visit, please click the Sign Up now button to begin the process of creating your account so you can begin posting on our forums! The Sign Up process will only take up about a minute of two of your time.

Results 1 to 10 of 10
  1. #1
    Senior Member Steax's Avatar
    Join Date
    Dec 2006
    Location
    Bandung, Indonesia
    Posts
    1,207
    Member #
    14572
    Hi everyone. Lets get to the point.

    I've always used sessions as a safe place to store important information. Like a single variable (like $_SESSION['admin'] = true) grants administrator access. However, I'm currently concerned about the possibility of anyone customizing his session variables or anything... is this a possibility?

    Or should I use some other system to keep track of important information? I've heard of session cookies, what are those?

    Thanks!
    Note on code: If I give code, please note that it is simply sample code to demonstrate an effect. It is not meant to be used as-is; that is the programmer's job. I am not responsible to give you support or be held liable for anything that happens when using my code.

  2.  

  3. #2
    Senior Member filburt1's Avatar
    Join Date
    Jul 2002
    Location
    Maryland, US
    Posts
    11,774
    Member #
    3
    Liked
    21 times
    With session hijacking, anybody who intercepts the session hash in transit can then become the user associated with that session.

    Sessions nearly always use cookies; PHP provides a session hash cookie, and internally within PHP, that's mapped to the $_SESSION variable. So, while a user can't directly edit the contents of his session, the entire thing can be stolen.

    You can require additional challenge information, like invalidating the session if the user's IP significantly changed since the last request. You can also use a token system where each request requires a unique token, and that token (provided by the server) changes after each request, making a replay attack impossible.
    filburt1, Web Design Forums.net founder
    Site of the Month contest: submit your site or vote for the winner!

  4. #3
    Senior Member Steax's Avatar
    Join Date
    Dec 2006
    Location
    Bandung, Indonesia
    Posts
    1,207
    Member #
    14572
    Hmmm, I understand. Would it be possible to track a small amount of users (admins) to make sure no two people are using the session at the same time? Because I'll make sure that admins always logout...

    Can you elaborate on that second "token" method?
    Note on code: If I give code, please note that it is simply sample code to demonstrate an effect. It is not meant to be used as-is; that is the programmer's job. I am not responsible to give you support or be held liable for anything that happens when using my code.

  5. #4
    Senior Member filburt1's Avatar
    Join Date
    Jul 2002
    Location
    Maryland, US
    Posts
    11,774
    Member #
    3
    Liked
    21 times
    PHP assigns session hashes itself; you don't have control over it that I know of, or more accurately, you don't want to change its behavior unless you have reason to do so.

    The token method:

    1. You log into the system.
    2. You're granted access, and it sends you a cookie with a unique and random value.
    3. You request a page, in the process sending that cookie by the nature of how HTTP works.
    4. If the value of the cookie is correct, your request is allowed. If not, you're denied access.
    5. If you are allowed the request, you are given another token for the next request.
    6. Repeat 3 to 6.

    Somebody can still intercept the token and, if they use it before you do, then all hope is lost. It is, however, quite effective against replay attacks (executing the exact same request, byte-for-byte, that an authorized user made).
    filburt1, Web Design Forums.net founder
    Site of the Month contest: submit your site or vote for the winner!

  6. #5
    Junior Member
    Join Date
    Mar 2007
    Posts
    1
    Member #
    14933
    Is anything really secure? I am looking for a way ..perhaps through some sort of encryption, to enter my web business so that I am the only one with access. I am not a programmer, just wading through this to set up a business. I'm using Yahoo Sitebuilder and can't set up my forms. Well shucks, I'm just a mess.

  7. #6
    Senior Member filburt1's Avatar
    Join Date
    Jul 2002
    Location
    Maryland, US
    Posts
    11,774
    Member #
    3
    Liked
    21 times
    Doing everything over SSL (meaning the URL begins with https, not http) certainly helps, but it's not free; you need to buy an SSL certificate, and it certainly won't work on free hosting.
    filburt1, Web Design Forums.net founder
    Site of the Month contest: submit your site or vote for the winner!

  8. #7
    Senior Member Steax's Avatar
    Join Date
    Dec 2006
    Location
    Bandung, Indonesia
    Posts
    1,207
    Member #
    14572
    Nice idea, I'll use that! Great technique.

    I've got another idea, to back up that token system. I'll impose a "Safe-lock" system, which is accessible only with a code known to system admins. When activated, the lock will prevent anyone logging into an admin account other than those who use an IP from a whitelist (or his current IP). It should also create a complete backup of important data. Anyone else trying to access the admin account will be detected and blocked. After 1 hour the lock should be lifted, and for the next 12 hours any other attempts should be recorded.

    Do you see any dangers in this system, aside from the fact that a rampaging admin could decimate the site...
    Note on code: If I give code, please note that it is simply sample code to demonstrate an effect. It is not meant to be used as-is; that is the programmer's job. I am not responsible to give you support or be held liable for anything that happens when using my code.

  9. #8
    Senior Member
    Join Date
    Jun 2005
    Location
    Atlanta, GA
    Posts
    4,146
    Member #
    10263
    Liked
    1 times
    Well, the admin would have to enable it, right? How do you know they will?

  10. #9
    Senior Member visualAd's Avatar
    Join Date
    Jan 2003
    Location
    Slough, UK
    Posts
    201
    Member #
    434
    One of the methods I use is to use session_regenerate_id() with every request. This sends a new cookie with a new session ID in each request making a session ID good for only a single request.

    This does have a downside, especially in the world of tabbed browsing . If a user loads two pages simultaneously, the same cookie will get sent twice and one of the pages will load with the old (now defunct) session id. It also breaks when a session ID is added to the query string of links on the page.

    This is solvable by taking control of PHP's default session handler and storing the old session data for a short length of time. At the very least you should use session_regenerate_id() when the users privileges are escalated (i.e: they login to an admin area) from a normal user area.

    Another thing I do is use a session hash. I generate this by adding taking an md5 hash of the user agent string and the users IP address.
    PHP Code:
    $_SESSION['hash'] = md5($_SERVER['REMOTE_ADDR'] . @$_SERVER['HTTP_USER_AGENT']); 
    You can then check this has not changed at the beginning of each request.

  11. #10
    Senior Member leprechaun13's Avatar
    Join Date
    May 2005
    Location
    Northampton
    Posts
    487
    Member #
    10058
    Theres a problem with using a admin IP whitelist, some ISPs regually change ur IP address so if this isnt updated in the whitelist authorised admins wont be able to get in. Apart from that a pretty good idea
    Regards Phil,



Remove Ads

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
All times are GMT -6. The time now is 08:32 AM.
Powered by vBulletin® Version 4.2.3
Copyright © 2019 vBulletin Solutions, Inc. All rights reserved.
vBulletin Skin By: PurevB.com