securing with session

lucky-8

Hi,

I have put this code in the first lines of every web page on my website.

<?php session_start();
        if(!isset($_SESSION['myusername']))
                header("Location: main_login.php"); ?>

What happens is once i enter a valid username and password it goes in and the session is set, now if i open another tab or another browser window i can type in any page directly in the URL and it loads the page for me becoz the session is set by that previous valid user. Hope i am clear with my issue.
plz help.

NogDog

That's because the browser stores cookies in the same location regardless of tab or browser instance, so the session cookie is sent regardless of how you open the page. If, however, you open a different browser -- for instance: run both Firefox and IE -- then the other browser will not have the session cookie from the first browser, so it will require its own log in.

benracer

NogDog is correct as ever 😃 - another pointer is that anybody could create a script that stores a session called anybodys username, therefore could grant access to their "area". A way to get round this could be to encrypt the username. Not sure if this helps or not but any way...

NogDog

benracer wrote:
NogDog is correct as ever 😃 - another pointer is that anybody could create a script that stores a session called anybodys username, therefore could grant access to their "area". A way to get round this could be to encrypt the username. Not sure if this helps or not but any way...

Not exactly. The session cookie only stores a pseudo-random ID that is associated with the session data file on the server; it does not store any actual user data. It is a reasonably large string, so it's not conducive to casual hacking, though a brute force attack could eventually break in by trying a sequence of session IDs.

You can help limit such attacks by storing the user's IP in the session data, and if the current IP does not match it then make the user log in again.

PS: On re-reading, perhaps I misunderstood what you were referring to?

benracer

Encrypting would also help - wright?

NogDog

benracer wrote:
Encrypting would also help - wright?

I think I might be misunderstanding what you are referring to. Are you talking about shared hosting situations where different host accounts might have their scripts storing session data in the same directory?

AndreF

In case of shared hosting, then what do you recommend?

NogDog

AndreF wrote:
In case of shared hosting, then what do you recommend?

A database storage mechanism, which can be activated via [man]session_set_save_handler/man.

AndreF

so string IP in session does not make sense for shared hosting?

NogDog

AndreF wrote:
so string IP in session does not make sense for shared hosting?

They are separate issues. Checking the IP is to prevent external hackers from hijacking an existing session by sending a cookie with a matching session ID. Using a custom session handler that stores the session data in a database prevents other users with accounts on the same shared host from being able to access your session data via the file system.

AndreF

I don't think even users with accounts on the same shared hosting can do so as their REMOTE_ADDR is different, and if IP is sessioned then they will be caught. Please correct me if I am wrong.

NogDog

Your session data is stored in a file on the host. If you use the default PHP settings, chances are that it's in the same directory as every other PHP script on the site is using for session data. Therefore, anyone else with an account on that site could possibly write a PHP script (or other language) that searches through all the files in that directory for anything of interest simply by using PHP's built-in directory/file functions. You can change the directory used by your scripts to something else, which will make it a bit more difficult, but still not at all impossible for another PHP script on that host to find and read. Therefore, if you are storing sensitive data in your sessions that would be harmful for anyone else to see and you are doing so on a shared host, you need to consider doing something more to prevent access to that data. (Of course, the best solution is to move your account onto a dedicated server over which you have full control and which is only accessed by yourself or others whom you completely trust.)