what's your habit in securing sessions?

Tea_J

Hi guys,

Do you take any extra security measures to secure your sessions?

most of the time im contented to just using sessions, passing the session id along with my request URLs..

profile.php?ses_id=6b594c049e39a40ad6d54dc16f223775

but i do know that if i someone knows someone's session id, and he uses the same URL as above on a different computer, anywhere in the world, the scripts would recognize the hacker as a legit user....

so.. i wanted to know what measures/techniques you do to prevent this?

can one set the php settings to NOT recognize the session ID if it's coming from a different IP or something?

Kudose

If you add the following code above your session_start, it will disable the session ID from being passed in the URL.

ini_set('session.use_trans_sid', false);

Tea_J

hi Kudose,

i just read up on that. hmm.. not quite what i was looking for.. but thanks..

which session control functions can destroy sessions when browser is closed??

What im trying to get at is, sometimes when i log in and session is initiated, anywhere in the page i am logged in.. which is cool.. then when i CLOSE ALL THE INSTANCES OF THE BROWSER im using, then open it again, i get logged out..

What mechanism/session control is responsible for this? I want the session on the server to be deleted soon as the user has closed the browser..

homchz

I thought that was the point of a session. It is killed upon the browser closing.

Now a cookie would stay set, and I beleive if you do not set a time frame for a cookie they expire at the end of the session as well.

rowman

http://www.php.net/manual/en/function.session-destroy.php

Tea_J

I thought that was the point of a session. It is killed upon the browser closing.

Now a cookie would stay set, and I beleive if you do not set a time frame for a cookie they expire at the end of the session as well.

that's what i thought also.. but apparently, when using session id in URL, even if I close the browser, when i turn it back on and GO to the same link (with the session ID in URL) i am still logged in..

also the session id is not DELETE off the server.. the session id is still in the temp directory even when i close all instances of the browser..

@, thanks mate, but i do not wish to DESTROY session manually.. want it to do automatic as expected (close browser and session is destroyed)

bretticus

The session id in the browser URL is a failsafe for the instance when PHP cannot write a cookie. thus, the session can still be persisted. As far as the server is concerned, a session can only timeout (you can explicitly use session_destroy().) In order to timeout, the web server must not have contact with the remote host for the session lifetime value (a php.ini value which is 24 minutes by default I think .) Session fixation (URL attachement) can be dangerous if your login protects sensitive information. YOU SHOULD use SSL regardless in any event. You can also use

ini_set('session.use_only_cookies', true);

to force sessions to only use cookies.

bretticus

Oh yes, my main point, session cookies always expire after the browser closes (all parent instances included.)

bretticus

Oh yeah,

Also (man, I keep posting!!! I'll be quiet after this one 😃 )...

One way I decided to secure my sessions up was to store the ip address in a session variable. I checked to see if the ip recorded with the session was in the same netblock via WHOIS to avoid hindering a validated user behind an AOL proxy farm for example. I never used it in production, and it seems WHOIS protocol may have changed since then, but if anyone is interested, I'm sure I could dig it up.

Tea_J

hehe that's aite man keep posting!
heheh

Oh yes, my main point, session cookies always expire after the browser closes (all parent instances included.)

well, i thought this was my case before.. but i also thought that when browser is closed the session infos ON THE SERVER is also destroyed. apparently this isnt the case.. because i did an experiment.. and monitored my server's directory for where sessions are stored.. and when closing everything after the session was created.. the session folder remained on the server.. hmm..

well i guess the best thing is that IP stuff. and perhaps add a time() information there. and set timeouts manually..

life if (this connection's time is greater than last connection plus 1000 seconds) die..

hehe

bretticus

well, i thought this was my case before.. but i also thought that when browser is closed the session infos ON THE SERVER is also destroyed. apparently this isnt the case

You are absolutely right. When I said...

the session can still be persisted. As far as the server is concerned, a session can only timeout

I was explaining what you found via experiment. As far as the security concerns presented by this scenario, unless your browser has some way (like typing in url?sid={the-old-session-id}) of resending the session id, that session, as far as that browser instance is concerned, is effectively dead. It is only dead on the Web server, however, when the session lifetime value is up. In other words, the Web server and your browser have no communication for the duration of the session lifetime value.

Now, if some malicious website admin or spyware originator were to peak at his or her logs and discover the http header referrer information your browser sent. And, let's say, because of session fixation, he or she sees your session id affixed, they could effectively take over your session. The web server does not care about the originating IP address, it only keeps state via the session id. Also, there is the less probable man-in-the-middle concern about your session id being sniffed. Bad stuff!

So if anyone is concerned about these scenarios, use SSL and never link off to untrusted Websites in your secured Web pages, and/or force PHP to use cookies only (which may have inconvienent ramifications for some.) SSL is the only method to truely secure your sensitive data though.

My ip method is an attempt to make session logins more secure. This has to be enveloped in a function or class being that PHP session handling does not incorporate ip checks. I couldn't just grab the first ip because there are proxy farms (like AOL.) If you are behind one of the proxy farms, this means that when your browser connects to an html page, numerous proxy servers may download each individual image, stylesheet, script, etc. Thus, you end up with multiple ips. This means only one of those proxy servers will be authentic as far as your programming goes. That's when I came up with the idea for doing a WHOIS query on the block. This, of course, follows the assumption, that proxy farms are at least from the same network block.

If you want me to show some code examples and other other ideas on securing non-SSL logins. I can continue be boring. 😃

Tea_J

lol.. please do bore me more!!! hehe

seriously though. very helpful man. thanks.. finally i understood this damn thing! lol

OK .. som im liking that IP thing... so long as the user isnt using proxies, i think getting the ip via PHP $_SERVER['REMOTE_ADDR']; is good enough yeah? additional verification variables can be the user's browser, etc etc..

now.. with this proxy thing. you mean there is a way to find out what a user's iP address is even if he's behind an array of proxy servers?

also.. where are session variables stored????

bretticus

The pupose of the netblock is to validate multiple ips belonging to the same netblock (I just realized that if they have a log entry with your referrer data, they most certainly have your ip...I guess if they don't GUESS to spoof their IP, we're still fine. Spoofing is hard anyway.) The mulitple IPs being the possible proxy farm servers or DHCP pool. In other words, the original host behind the proxy is not the goal. However, the following function should work to get the real remote addr ( I decided I couldn't rely on this as a few proxy servers do not send the header.) Here ya go, should work for most cases. I'll still post that security class some time too (not now.)

function getRemoteAddr()
{
	if ( isset($_SERVER['HTTP_CLIENT_IP']) ) {
		$ip = $_SERVER['HTTP_CLIENT_IP'];
	} elseif ( isset($_SERVER['HTTP_X_FORWARDED_FOR']) ) {
		$ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
	} elseif ( isset($_SERVER['REMOTE_ADDR']) ) {
		$ip = $_SERVER['REMOTE_ADDR'];
	}
	return $ip;
}

bretticus

also.. where are session variables stored????

In Linux, they are stored in your /tmp folder usually (this can be changed in your php.ini file.)