User Authentication - 2 possible methods?

runningOnPHP

Hi,
I've been searching on google for how to implement sessions for user authentication. I've seen two methods.

note I know a bit about how sessions work but I do wonder this:

One type of example shows using sessions to store both the username, and the users password. Each time a secure page is requested it then takes those session variables and checks the database to see if it's a valid combo each and every time. This seems a bit insecure to me in that you are storing user password on the server...right? Also, it's accessing the database needlessly...right?

The other type, and the one that makes sense to me is that the username and password is checked against the database ONCE and if found to be valid a session variable is set to indicate that...for example $_SESSION["access"] = "granted";
and then that session variable is checked on every secure page. Thus the database is only accessed once.

Is one method better than the other? If so, why?

Thanks!

sneakyimp

runningOnPHP;10903057 wrote:
One type of example shows using sessions to store both the username, and the users password. Each time a secure page is requested it then takes those session variables and checks the database to see if it's a valid combo each and every time. This seems a bit insecure to me in that you are storing user password on the server...right? Also, it's accessing the database needlessly...right?

I would agree this seems a bit silly and it seems unnecessary to keep checking the database each time. On the other hand, it's not uncommon to run a number of queries on a given page in PHP so I wouldn't worry too too much about the performance. The advantage it provides is that if you delete someone's account, they will be logged out as of their next page access because the account will not be found. As to whether it's secure or not, that would depend on what method is used to store session data. I think the default is to use files in the TMP folder. I'm not sure what the permissions situation is for the contents of the TMP folder, but I suspect that it is not too difficult to read the files in there. You can also set up PHP to use a database for session storage which would result in another query to fetch session info. It is my understanding that a database for sessions is more secure.

runningOnPHP;10903057 wrote:
The other type, and the one that makes sense to me is that the username and password is checked against the database ONCE and if found to be valid a session variable is set to indicate that...for example $SESSION["access"] = "granted";
and then that session variable is checked on every secure page. Thus the database is only accessed once.

That's pretty much how I usually do it. I set $SESSION['logged_in'] = 1 and then check that var for $_SESSION['logged_in'] === 1 on each page that requires someone to be logged in. The advantage of this approach is that you check the DB less (but you are still checking either a file or DB for the session data on each page access). The one disadvantage that occurs to me is that if you wanted to ban a user or delete their account, they will stay logged in until their session expires -- which could be forever if they are crafty.

runningOnPHP

Thanks, that's pretty much my thinking as well.

Is there a security issue there though...is there someway to fake that the session variable is equal to 1 (using your example)...if someone knew how you were handling things?

sneakyimp

The short answer is 'not really' but that's not the whole story here. You need to understand how sessions work.

When you call [man]session_start[/man] and stores some variables in $SESSION, by default PHP will [man]serialize[/man] and those $SESSION values and write them to a file in the TMP folder.

Generally speaking the name of the TMP file that is created is somehow derived from the session ID that PHP generates to track the session. This session ID must be repeatedly handed back to your server by the visitor's browser so that PHP knows which $_SESSION vars belong to that client. In order for the browser to do this, it must either store the session ID in a cookie or, if cookies are off, PHP may be able to keep adding the session ID to the end of each URL that it feeds to the visitor.

There's nothing you can do to stop some visitor from handing your some different session ID than the one you gave them. When malicious programmers find somebody else's session ID and use it, this is called session hijacking. You might want to google it.

Anyways, it's not impossible for someone to mess around with the session concept. The only ways that they could set some value in $_SESSION are:
1) to get some script to run on the server that would do it. i have no idea if your scripts have some security holes or whatever that might make this possible.

2)write that TMP file by some other means -- i don't know how difficult this might be but it would also require some other kind of security hole somewhere.
3) hijack somebody else' session id. If someone has cookies turned off and PHP has enable_trans_sid set to TRUE then PHP may append a session id to the end of a URL and that clueless user might copy-and-paste a url into a forum posting or something where a malicious hacker might say AHA LOOK A SESSION ID. If the session had not expired, someone might 'log in' simply by copying a URL that contains a session id.

Anyways, it's a pretty involved discussion but you should feel safe using sessions as long as you follow good practices. Don't store sensitive information in cookies, for instance.