PHP 4.x Session Security

Tekime

Good day everyone,

I have a question about PHP 4.x's internal session handling. I could use some clarification on how PHP handles session data.

AFAIK, using PHP's session handling functions, session data is stored server-side, and ONLY the sid is stored client-side.

For example, if I set $SESSION['somevar'], then retreive that value a few page hits later, I should only have to be worried about the clients session id authenticating, as opposed to worrying about $SESSION being tainted, right?

Also, IIRC PHP session data can be stored on disk, in a DB or in shared memory. Has anyone experimented with these different options? I'm sure memory would be the quickest, as long as you don't run out, but do you think DB sessions would be any faster than flat file session data?

And finally, I have been reading that PHP's session functions can be given a new handler, so one could re-write every session function and plug it in. Are there any libraries out there that would be worth looking at as an alternative?

Thanks for any help and/or opinion on these topics 🙂

edit: sp

Tekime

bump

I'll give this one more try 😉 😃

cmburns69

AFAIK, using PHP's session handling functions, session data is stored server-side, and ONLY the sid is stored client-side.

For example, if I set $SESSION['somevar'], then retreive that value a few page hits later, I should only have to be worried about the clients session id authenticating, as opposed to worrying about $SESSION being tainted, right?

That is correct.

Also, IIRC PHP session data can be stored on disk, in a DB or in shared memory. Has anyone experimented with these different options? I'm sure memory would be the quickest, as long as you don't run out, but do you think DB sessions would be any faster than flat file session data?

As I see it, these are the benefits (and drawbacks) of each method mentioned:

Memory - This is the fastest (nothing is faster than reading from memory, right), but unless you have a dedicated machine, you will probably run out of memory, to the detriment of all your programs.
Disk - This is my favorite all around solution, because it is default and works well right out of the box. It is not scalable across a server farm, but works well with any number of hits on a single box.
DB - This is very scalable (as scalable as the D😎 overall, but will probably be slower than either of the other 3 options.
Custom solution - This will probably end up being the best combination of speed and scalability, but can take awhile to engineer correctly. (read below)

And finally, I have been reading that PHP's session functions can be given a new handler, so one could re-write every session function and plug it in. Are there any libraries out there that would be worth looking at as an alternative?

The company I work for uses a proprietary in-house solution we developed that replaces the default session handling functions.

We have a dedicated box for serving sessions, which keeps the session in memory until it is no longer needed. The protocol to access the session is also very efficient, leading to very fast and scalable sessions.

Conclusion:

PHP sessions are great, and unless you really need it, the default disk sessions are probably enough for you.

Tom Brown
Netnexus: Where gamers play
http://www.netnexus.com

Tekime

Thanks for the reply 🙂

I have since spoken with another experienced PHP coder, and they agreed that for the most part PHP sessions are adequate, and secure.

I am also using a session authorization class I built 'on top' of the existing PHP session functions. Every page hit on my site instantiates the class, and automatically compares the client's IP address and user agent against a session table. Any spoof gets a die().

It's not 100% perfect, but if anyone does manage to spoof the SID, they better learn to spoof the IP address and UAgent as well.

As far as storage methods, I am just using the default disk storage. It works fine for me, but I was just curious about the other options. Shared memory would be extremely fast, but I guess you would really need to balance the load on that server before you started crippling PHP apps, as well as the server itself.

A dedicated session box sounds like a great idea for a high-traffic site. I'm curious though, since you are utilizing memory storage, is it controlled well enough to never exceed available memory, or is it 'aware' enough to move to other storage methods before paging all the sessions? Sounds like a very cool project.

Thanks again for the help 🙂

cmburns69

There isn't really any special memory management code in our session server, so it does have the potential to bog down under high loads... But each session is only about 10K, and there is a 1GB of ram on the box, allowing for a couple of thousand concurrent sessions before overload...

Our needs are fairly unique (sessions aren't temporary, and must be stored indefinately), so the server moves them from memory to disk if they are inactive for too long.

Our solution is fairly configurable, so if the server was running out of memory, we could configure it to "timeout" the sessions quicker, keeping fewer in memory.

Tom Brown
Netnexus: Where gamers play
http://www.netnexus.com