session problem, security!

sirTemplar

hi. i have pages wherein a username and password are needed to be able to gain access. this works with session. however i noticed something that might be a security risk. when i try to copy the url of a pag after login, eg.

http://www.mysite/mypage.php?PHPSESSID=bd7be0ba8fb366907725daf74d473ae9

then close the browser, even close the computer and erase cookies, the next time i try to open the above link, i can gain access to the page! i the session seems to be remembered. how can i prevent this? thanks.

Erkilite

you should not put the session id in the url.

if session security is important to you, you may also want to consider adding a custom session handler that will store your sessions in a db. (especially if you are on a shared host)

AstroTeg

This is by design. Sessions requires an ID to get passed around. It can be passed by cookies or as a URL parameter. Even if it wasn't on the URL, you would still be logged in. Assuming you revisit the page before your session times out. I might recommend providing a log out feature which kills the session when the user clicks log out. Trick is, if the user doesn't "log out", the session stays active and they can go right back to the URL, either with the session ID on the URL or in a cookie.

If this still is unacceptable, then maybe sessions isn't a good fit for your site.

sirTemplar

so other than using sessions, what do you suggest to use for security?

deep

Check you php.ini file or write phpinfo(); there is a variable there (dont remember the name) that holds the time for sessions to expire. on most servers the variable is set to something like 10-20 min. Your variable must be set to never expire or something? In that case your id will be remembered by the server for a very long time.