secure authentification / session

monexx

Hi,

I am right now designing a website which may contain sensitive information and I must implement secure authentification.

My great fear is that username / password might be stolen, or that someone could steal session information and use the system as the previous user didn't logged out.

I have in fact 3 questions:

Can cookies be stolen and used on an other computer?

How does really work the session management in PHP (session_start)? Is there data copied on the client's computer using this technique?

What could be the best way to secure authentification and make sure no one steal session information?

Thank you very much

S. Breton
Québec City, Canada

Anon

sessions ( session_start ) is effectively server side cookies...

monexx

ok, but then how does the server knows it's the same user without storing any information on the client side?

How does it work then? Using the IP Address? If then, what if 2 users are connected from behind a proxy server?

Anon

php tries to set a cookie in the browser, containing no more than a unique session id (SID).

all session data is stored on the server, matched with the users unique SID. by default, every session will be saved as a text file named after the SID, which contains the session variables in a serialized form.

if cookies are disabled, php automatically appends the SID appended as GET variable to all links in your web page, so the server gets to see it, too.

the most secure way of logging in would probably be via https, otherwise the username/password would be transferred plain text over the network.

i don't know about really decent authentication system in php, but i'm sure there is one. if you find one, could you please post it here?

hope this helps,
phil

monexx

Thank you Phil. That's what i wanted to know.

Correct me if i am wrong, but the SID could easily (by scanning ports) be stolen and used on an other computer. So maybe the solution isn't there. The only thing i can do is to validate it with an other data, such as IP Address.

Implementing HTTPS won't be free and will be considered. Although it's not 100% sure, it's the best way, well, as far as i know.

For now, i will go on with simple authentification, using PHP basic functions.

I think education is the best way to avoid most problems. Teaching people to log off and staying away from viruses and attachments containing macros will be much more efficient (and inexpensive).

Auditing is also very important... and i will probably add some traps to my code, traps only hackers would see (and try, and then cry!).

Maybe later, i will try to build a simple java applet for entering password using the mouse, so that keyboard listeners won't work. Maybe encryption inside, i'll see.

I think i should go back to school in computer security... i'll never get unemployed!!!

If you have any idea, don't hesitate to share!

Thank you all for your help.

S. Breton