Security with sessions

webpoet

I´m going to build a small private community where the users log in and is then kept logged in by sessions. Can someone either tell me or point me to an article where any security issues with sessions are described ? The site needs to be very secure and I need to stop for instance session hijacking and any other security loopholes.

Thanx in advance!

MAsterTom

why not work with cookies??

that way you can CONTROL how long a user CAN be online... and WHEN he has to sign in again...

laserlight

"that way you can CONTROL how long a user CAN be online... and WHEN he has to sign in again..."
That sort of clientside data can be altered.

I dont know of any particular online resource on the topic that is really good though, my knowledge here is mostly gained from reading books.

Have you tried searching the Web?

MAsterTom

Originally posted by laserlight

Originally posted by MAsterTom
...that way you can CONTROL how long a user CAN be online... and WHEN he has to sign in again...

That sort of clientside data can be altered.

I KNOW it can be altered... but if you dont KNOW the proper values... what can you do?? try all possibilities?? yeah... thats right.. thats what you could do...

you're right... but ehm... is that a problem??

'cause with ALL the letters and numbers... lets say 5 characters for the USERname...

...thats 36 ^ 5 = 60466176 possibilities ONLY for the name...

only FREAKS and weird people will try to get in...

but still... you're right... it should be better if the password and/or the username is changed constantly... but is that realistic?

anyway... webpoet?? do you really need to be so freaking tight secured??

zacarias

Originally posted by webpoet
Can someone either tell me or point me to an article where any security issues with sessions are described ? The site needs to be very secure and I need to stop for instance session hijacking and any other security loopholes.

Make sure the user identification is comming from the session and not get/post.
Don't store sensitive information [password] on the session: someone could hack the server and get password information.
Encript the passwords before saving them in the DB. md5 works fine for that. This way you prevent problems related to the previus sugestion. Also, if someone hacks the database, they wont see the plain passwords.
Use the session to store a user id that allows you to fetch it's data, or basic data that you'll need in the scripts - username, email, etc.
It's also possible to use HTTP authentication.
If the script must be really secure, use SSL.
Advice your user's not to share their passwords and specially not to have them in a post-it glued to their desk at work.
Check everything the user gives you before sending SQL queries with vars to the DATABASE. Read about SQL Injection.
Add a security measure as follows: insert a new field into the USER's table. Call it "number_of_tries". Everytime a user tries to log in and fails (wrong password), add a value to that field. When it reages 3 (example), block the acoount. The user will have to ask a new password / account unlock by e-mail. This will help prevent brute force attacks.

There's no such thing as perfect security. What you invest in security should be proportional to the value of the data that's handled inside the system.