Customized sessions => improved security?

nobru

Hi hi hi,

3 questions:

1) "by default, each session is stored as a separate file in a temporary directory", but one can also customize the sessions and save them in a db (Mysql for instance).
Is it safer to save them in the db rather than keeping them in the tmp dir?

2) Is the default mode mentioned above, is the session id secure or is it better (if possible) to generate a custom one?

3) Does anybody know a good authentication system WITHOUT USING COOKIES?

Thanks in advance for your answers.

nobru

Anybody has a clue guys?

fukas

1) I guess. It's this question is very specific. It depend on many reasons.

2) Session ID is generated really good, and enough. If you can use our own ID just do it. You can try to use md5(). :-)

3) Hmmm, what about Apache autentificaion system?

I you can, we can talk about it throw email. fukas@centrum.cz

pinkbike

Originally posted by nobru
Hi hi hi,

3 questions:

1) "by default, each session is stored as a separate file in a temporary directory", but one can also customize the sessions and save them in a db (Mysql for instance).
Is it safer to save them in the db rather than keeping them in the tmp dir?

2) Is the default mode mentioned above, is the session id secure or is it better (if possible) to generate a custom one?

3) Does anybody know a good authentication system WITHOUT USING COOKIES?

Thanks in advance for your answers.

Depends if your server is setup with correct permissions on the temp dir and if it is setup with correct permissions for the db files. The data is stored in files either way. (the db is just a file)
If your server is locked down you're safe either way. File sessions are faster. You can try using MM - storing the session data in memory.
You're pretty good there. I don't know off hand how the session variable is generated but I would gather it is with pretty random information. And in this case it would only matter if you can generate better random strings than the php.
Your client has to sent some kind of information to your server on ever GET/POST request to get authenticated. One way to improve your security is to use https so the transmition of this data is encrypted.

Another way is to make server sessions expire quickly and rotate the sessions on the users computer. This is particularly important if you have some session or cookie key on the client that maintains a login over a long time.

Also you can store the IP, client browser metrics, etc in the session and then check whether the client with this valid session cookie has the same parameters. (Remember IPs change and sometimes change from request to request depending on the users setup, and this can wreck havok.) You can always store multiple valid IPs from the user.