PHP/MYSQL - Session Security

[liam_d]

Well we all known of sql injection but what about sessions?

I am sure there are ways of hacking sessions, so how do you all deal with session security?

 

[iNod]

There is ways to hack just about everything.. The only 100% way to not get hacked is to hash every single thing.

When passing secure stuff such as passwords over sessions hash it.. But for usernames and stuff.. Let it be.. if they really want in.. They will get in.. No matter what you do.. That is unless you have ALOT of people monitoring every visit and person who accesses your site.

The best method is to find ways to lower the amount of stuff stored on your users computer.. Such as sessions, cookies,etc.. Try to ID's (for example shopping carts) and have the rest in a database..

- Steve

 

[Peter]

it really depends on how you have sessions implemented.

But the main thing to do is regardless of wether a user has a valid session or not check they they seem to be who you are expecting for example when they log in put something in the database that is uniquely identifiable to them (of course this should not be in a cookie as all someone needs to do is copy the cookie then). Also make sure that the session expires sooner rather than later.

Another thing to avoid is persistant logins.

 

[Noobie]

Never store a password in a cookie/session.
You don't need to.
You can generate and update their record with a random ID for them along with their user name once they succesfully login
If i had time i'd go thru the whole thing but google search some login methods for php you'll see some great techniques

 

[Dan]

For my sessions, I just use 'isloggedin' and 'username'.

I don't know how anyone would use a fake session or create that variable by themselves..

Every site cannot be hacked, I don't know why you say that.

 

[iNod]

For my sessions, I just use 'isloggedin' and 'username'.

I don't know how anyone would use a fake session or create that variable by themselves..

Every site cannot be hacked, I don't know why you say that.

So far every big site I know of has been hacked.. The creators of our programming language php.net was hacked.. Yahoo.com was hacked.. eBay.. Paypal.. Microsoft.com was hacked.. Blah blah blah.. So far those are VERY highly secure websites.. They where hacked.. It doesn't matter what you do.. They can hack you.. it is just the way the world is made.. So far there isn't one program or OS that doesn't have ways to bypass firewalls and junk to get in..

Wether you get a script junkie or a hacker.. Is the difference..

Everything within reach of the internet is hackable.. It depends how much time they want to spend trying to hack you..

You being a computer dude.. Should know.. Norton and all that stuff.. Only decreases your chances by filling in and scanning ports for misc actions which should not belong..

- Steve

 

[Shorty]

I agree with iNod, anything can be accessed, it's just a matter of time and effort.

I'm not entirely sure how you'd "hack a session". As far as I understand session mechanics, the information is stored in a hidden session folder, only accessible to those on your server (which is the main security issues with sessions for sites on shared hosts, as its 1 folder to a server).

I read one idea once about using a cookie to randomly generate an encryption key and store it in a cookie for the user. Then you use the key to encrypt all the session data and to fetch it out again you access the cookie for the key and decrypt it.

 

[Dan]

Oh noes, I've been hacked...

Hack this:

<?php echo 'h4xor3d'; ?>

Hmm.. I just thought about that..
- waits for a mod to edit this and say they hacked it -

 

[yeppers]

Pretty much anything can be hacked. But the best way to avoid being hacked EASILY is to avoid storing anything on the client computer, in cookies or sessions.

It would probably be best to use the 'loggedin' approach. Hash any passwords.

You can also ban any IP Addresses that log in x times or try to do some action x times.

All the best, Rhett.

 

[Peter]

I'm not entirely sure how you'd "hack a session". As far as I understand session mechanics, the information is stored in a hidden session folder, only accessible to those on your server (which is the main security issues with sessions for sites on shared hosts, as its 1 folder to a server).

Well there has to be a way for the clients computor to identify itself so the server knows which session to use. This comes in the form of a cookie OR a session ID.

If someone manages to get the cookie or session ID a hacker can easily get in by either placing the cookie in their own cookies folder and traversing the site OR going to the site and adapting the address with the session ID they have got.

If the server does not do proper checks to ensure that this person is who they are expecting then effectively the site is hacked. The session ID 1 is somewhat of a big problem especially if you have a site where people are likely to give others the address of the page they are looking at (they unknowingly give people access to their account)

So far every big site I know of has been hacked.. The creators of our programming language php.net was hacked.. Yahoo.com was hacked.. eBay.. Paypal.. Microsoft.com was hacked.. Blah blah blah.. So far those are VERY highly secure websites.. They where hacked.. It doesn't matter what you do.. They can hack you.. it is just the way the world is made.. So far there isn't one program or OS that doesn't have ways to bypass firewalls and junk to get in..

The majority of hacks are done at the operating system level which php cannot stop

 

[liam_d]

Well there has to be a way for the clients computor to identify itself so the server knows which session to use. This comes in the form of a cookie OR a session ID.

If someone manages to get the cookie or session ID a hacker can easily get in by either placing the cookie in their own cookies folder and traversing the site OR going to the site and adapting the address with the session ID they have got.

If the server does not do proper checks to ensure that this person is who they are expecting then effectively the site is hacked. The session ID 1 is somewhat of a big problem especially if you have a site where people are likely to give others the address of the page they are looking at (they unknowingly give people access to their account)




The majority of hacks are done at the operating system level which php cannot stop

That is true, the whole reason behind this post is that i am the creator of VUBB although now sold i still visit it and i posted a link on a site which the phpsessionid was appended to the url which i forgot to take out, and someone got in and changed my signature on vubb.com.

How would you make sure people can't do that?

 

[Peter]

a basic way would be to check somthing that is fairly unique to that individual for example $_SERVER['REMOTE_ADDR'] although that is far from ideal but gives an ok start.

Another option is to set a cookie with a unique token that changes after each page load, (the token maybe to be stored in the users field in the db as well) if they do not match then it cant be the user so jump out of the session.

 

[liam_d]

Another option is to set a cookie with a unique token that changes after each page load, (the token maybe to be stored in the users field in the db as well) if they do not match then it cant be the user so jump out of the session.

That is a great idea!
But then what if the browser doesn't support or have cookies enabled?

(but then what browser doesn't support cookies these days anyway?)