A Sessions Question- Security

Anon

Ok everyone here has been extremely helpful in making this program work, now that I have built the database and the login script and the profile entry pages, now I have another dilemma.

This question is for all of those folks that love to explain things.

I want the site to be a members only site. I figured out and have tested somethings with SESSIONS and I am impressed at how easy it is to use- beats having to script all the cookie crap.

The main problem I have now is that once someone logs in, it creats a session or picks up the last session. BUT if their account expires or I ban that person, how can I stop him from going to pages that he has bookmarked?

The session script I have basically looks for session variables that check to see if the user is authorized for a particular page. If he has bookmarked the page and returns, he could go right to the page because the session stil exists on his machine.

Will I have to include a session script that verifies the variables against the Database each and every page? That seems to be a bad thing, load-time wise.

Also- this bugs me too- How can I make a session last only as long as he has the browser open? Is it possible to have a session auto-destruct when the browser is closed? I knwo i can do the get/post method of passing variables age to page and that would prevent it, but that gets tedious.

Any Suggestions?

van__

Tony wrote:

The session script I have basically looks for session variables that check to see if the user is authorized for a particular page. If he has bookmarked the page and returns, he could go right to the page because the session stil exists on his machine.

Wrong.
Even if he had it bookmarked with the SESSID in the URL, he wouldn't be able to pass through your session detection since the session really lives on the SERVER, all the client gets is a browser cookie. The browser cookie is never actually stored on the HD past the life of the window being open, so once they close the window, the browser cookie dies and their session will get GC'd when it's time.

If you ban them, then they should not be able to log in. And my rule of thumb is to NEVER hand out a session on a site without a login ...except if there is never an actual login and I just want to track visitors... but even then, I could just specify a login var in the session to check if they are a logged user or not.

Anon

Thanks Van! That actually puts my mind at ease quite a bit now. I was concerned because I kept hearing about how sessions are not a secure method for making a members only area. I did NOT want to have to do an HTACCESS type of deal. This has opened up a lot man- thanks! 🙂

[deleted]

"And my rule of thumb is to NEVER hand out a session on a site without a login"

There's nothing wrong with handing out sessions without a login.

The point is that you should never trust any data that comes from the client.

So if someone sends a sessionid through the URL (don't need cookies to get PHP to recognize a session, so the cookie-expiration is not a valid security thing)
you must verify the user's identity by his IP. It's 'easy' to get someone's sessionid, but very difficult to spoof his IP.

You can always hand out a session even if a user is not logged in, just mark the session as 'not logged in'.
Then when the user logs on you mark the session as 'logged in' and store his IP in the session data.
Then with the next request the user makes he'll send you his sessionid and you can compare the IP in the session data with the IP the webserver gives you for that user.

That is relatively secure.

Ofcourse, real security means using SSL so hackers can't get the sessionid in the first place, let alone hijack the SSL connection.

A forum, a FAQ, email notification, what else do you need?