Cookies &amp; Security

Cookies & Security

quark76

Everything I've been reading has led me to how unsafe cookies are. What's the best way to handle cookies & remember login information? For example, what should I store in cookies & what should I not store in cookies?

NogDog

Probably the best solution is to use the PHP [man]session_start/man function and the super-global $_SESSION array to store user data. Then the only cookie being exchanged is the session ID cookie: no user data is exchanged across the network.

dagon

You could also use https to transfer the cookie data securely. The amount of security you should use is dependent on what you are trying to protect.

quark76

@ Nogdog - I apologize, my question was not clear. I meant when the user logs in & clicks remember me. Closes the browser & then comes back to the site. I want them to not have to log back in. But what I'm reading is that if I store the username & password in these, then they are subject to hacking. I'm looking to have the more secure way to keep them logged in.

@ dagon - its a members social network type site. So Would https be a bit much?

bradgrafelman

quark76 wrote:
But what I'm reading is that if I store the username & password in these, then they are subject to hacking.

That depends on what you mean by "these" (I'm guessing sessions?) and by "hacking" (I'm guessing altering/stealing the data?). The actual data stored in the session is kept only on the server, so I guess the security would only be as good as the location where the session files are stored (e.g. if you're on a shared host, probably not very secure).

quark76 wrote:
its a members social network type site. So Would https be a bit much?

I guess that depends; would you care if your login credentials to such a site were compromised and someone else logged into your account?

quark76

bradgrafelman;10955964 wrote:
That depends on what you mean by "these" (I'm guessing sessions?) and by "hacking" (I'm guessing altering/stealing the data?). The actual data stored in the session is kept only on the server, so I guess the security would only be as good as the location where the session files are stored (e.g. if you're on a shared host, probably not very secure).

I guess that depends; would you care if your login credentials to such a site were compromised and someone else logged into your account?

Ok, I'm learning a lot here. So what would you suggest as the best way to remember a users loggin info for say 30 days?

Thanks

bradgrafelman

Sessions over an HTTPS login portal. 🙂

NogDog

The thing is: if you're going to use any cookies at all, it's essentially as easy to steal one cookie as it is 20 cookies. And remember, cookies can be stolen directly from the computer, not just via network "sniffers", so HTTPS won't take care of everything. So I would probably...

Use sessions, but...
Set the session cookie timeout and session data retention times to some large value,
Save the user's "stay logged in" preference in the DB,
Update $SESSION['last_request'] with time() on each page, after...
Checking if current time is some amount greater than $_SESSION['last_request'] AND stay_logged_in is off, then destroy the session and send user to the login form.

I'd probably recommend using a database for the session data. And any time the user goes to any sensitive area (such as user account settings, you should make them log in if their last login was more than X time ago (therefore last_login would probably be another item to store in the user data).

quark76

NogDog;10955970 wrote:
[*]Set the session cookie timeout and session data retention times to some large value,

Ok...something like 30 days.

NogDog;10955970 wrote:
[*]Save the user's "stay logged in" preference in the DB,

Save remember me in the DB?

NogDog;10955970 wrote:
[]Update $SESSION['last_request'] with time() on each page, after...
[*]Checking if current time is some amount greater than $_SESSION['last_request'] AND stay_logged_in is off, then destroy the session and send user to the login form.

This is a little confusing. Can you elaborate?

NogDog;10955970 wrote:
I'd probably recommend using a database for the session data. And any time the user goes to any sensitive area (such as user account settings, you should make them log in if their last login was more than X time ago (therefore last_login would probably be another item to store in the user data).

So you mean saving something like the session_id() & then checking this each page request? I do save last_login, what would you suggest as a good amount of time for them to login again for sensitive areas, 1 week of no activity?

sneakyimp

When someone logs in and checks the "keep me logged in" checkbox, you should make a note of it in your db. I'm thinking the session table (if you have one) would be a good place to put this. The user table is another possibility.

By "make note of it in your db" I mean that you should store enough information in your database to determine whether someone deserves to be logged in without providing a password.

The easiest "remember me" concept to me is that you store a session id in a cookie with an expiration date six months off or something. The session ID should be some random sequence. [man]uniqid[/man] with the 2nd param set to TRUE might be useful for providing a session id. Maybe something like this:

// assuming the user has provided a valid username and password
// we can check to see if they want to be remembered
if ($_POST['remember_me']) {

  $remember_me_id = uniqid('string_prefix_', TRUE);

  // code here would store $remember_me_id somewhere in your db

  setcookie('your_cookie_name', $remember_me_id, strtotime('+30 days'));
}

When someone comes to your site that has no current session, your site would check for that cookie. If the cookie is found, your code would search in the db for the remember_me_id value and, if found, would establish a session without prompting the user for password.

The basic idea is that this session id is another password which gets stored in a cookie. From a security standpoint, this is obviously risky because an intruder may gain temporary access to the computer where the cookie is stored. Obviously the cookie value should be impossible to guess that's why it's good to have long values.

To mitigate what is obviously a risky security situation, you should give sessions created with this cookie limited capabilities. Don't let users change their password without entering the real password. Don't show them any credit card numbers or let them make orders, etc.

There's also the issue of keeping your session table clean in your database. You should always update that last_request time for these stored sessions with each page request and occasionally, you should delete "remember me" session records where the last_request time is more than 30 days or six months or whatever.

There are other techniques you can use to enhance the security of this approach. You might check a variety of information about the user: their ip address or a portion of their ip address? their user agent string?

And personally, I firmly believe in using HTTPS whenever possible for sensitive information. Logins/logouts, whatever. It's not that hard.

quark76

Is the concept of having a session table a way to track what sessions are set in the DB so you would have fields of: sid, uid, cookie, date_created,
last_updated, session_data (to store array).

So, let me make sure I understand correctly. User logs in & I store $SESSION variables. Then I check $username, $session_id
(actual session_id() function call), $ip & $cookie (my random string of text) when they go to any user restricted pages checking what's stored in
DB vs. $SESSION. If all these don't match, prompt a login. Is this correct?

Now, they also have clicked remember & I set cookie in $COOKIE & time this out 6 months out. I insert remember into DB. So then if they
attempt to access a restricted page, I should again prompt a login. Is this what you are saying?

As far as last_request, like nogdog was saying simply test this against my 30 days make it invalid if it is over 30 days?

Thanks

sneakyimp

You only care about the remember_me cookie if the user is not currently logged in. So you only need to check for that cookie if $_SESSION doesn't have anything interesting in it.

A session table can hold whatever info you want -- or you can do with out it entirely and store the 'remember me' type stuff in the user table. I like the idea of a separate table because it's a separate concept from the user data.

If you had such a table, you would definitely need to have sid -- a primary key -- and uid (so you know which user we are talking about). You could theoretically use the value you store in the cookie as your primary key but there's no harm in keeping them separate. You do NOT want your cookie values to be easily guessed so they should be as random as possible and not just gradually increasing integer values. Think of some huge number space like a 40-digit hexadecimal number. You could have a billion users and the chances of guessing one session id would still be something like 1 in 10³⁹

date_created isn't really necessary. last_updated is useful for keeping your db clean and expiring sessions.

storing session_data in the sessions table might be tricky depending on how much you have. a varchar field can only be 255 chars most of the time (depends on DBMS i think). You could use a TEXT field for more info, etc. You could instead just store session data using $_SESSION which is handy because it means you don't have to store and update your db every time some session-related value changes.

pretty much every page should establish session info. your code might be like this:

<?php
session_start();

if (!$_SESSION['logged_in']) {
  // check the cookie!
  // if the cookie exists and matches a record in your 'session' table 
  // then make sure it's not expired
  // then fetch the appropriate user info and store it in $_SESSION
  // also remember to update the session record's last_updated value
} else {
  // you should already have all your user info in $_SESSION!
  // you may want to update the last_updated value in the session table
}

// so at this point $_SESSION either contains valid user info or it's empty
// if it's empty, we deny access to any protected pages
// if it's not empty, we can check if the user has the right privileges
// based on info in $_SESSION
if (isset($_SESSION['access_level']) && ($_SESSION['access_level'] < 5)) {
  echo 'this page requires level 5 access!';
  header('location: login.php?return_page=' . urlencode($_SERVER['REQUEST_URI']));
}
 ?>

Directly setting a value in $_COOKIE doesn't mean that a cookie is stored by the user's browser. You need to use [man]setcookie[/man].

last_request should probably be updated with each page access and is useful for expiring sessions. generally speaking, sessions should time out and this field is a good way to track them.

There are a lot of considerations when dealing with sessions. It may take awhile to get your head around them all. It's helpful to remember that HTTP is a stateless protocol -- kind of like a fish with no attention span. Each page request is oblivous to what has happened before UNLESS you use a persistence mechanism like a database or cookie. Think of that movie memento. Dude forgets everything on a daily basis.

So when you access a page, you must look for the traces of a previous session every time. If you use session_start and $_SESSION then PHP handles a lot of the details for you. If you want 'remember me' functionality then you need to set a cookie.

EDIT: added php tags.

bradgrafelman

sneakyimp wrote:
You do NOT want your cookie values to be easily guessed so they should be as random as possible and not just gradually increasing integer values. Think of some huge number space like a 40-digit hexadecimal number. You could have a billion users and the chances of guessing one session id would still be something like 1 in 10³⁹

Sounds a lot like MySQL's UUID() function.

sneakyimp wrote:
storing session_data in the sessions table might be tricky depending on how much you have. a varchar field can only be 255 chars most of the time (depends on DBMS i think). You could use a TEXT field for more info, etc. You could instead just store session data using $_SESSION which is handy because it means you don't have to store and update your db every time some session-related value changes.

Unless I'm missing something, the suggestion has been to create a custom session save handler so that rather than letting PHP store the session data in files, PHP would instead call your custom session handlers (see [man]session_set_save_handler/man) when working with session data.

In other words, your session table in the DB would look like:

CREATE TABLE sessions (
    sid VARCHAR(32) NOT NULL,
    last_accessed TIMESTAMP DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP
    data TEXT,
    PRIMARY KEY (sid)
);

where 'data' holds the serialized session data.

quark76

I'm thinking of using this class from the session_set_save_handler page php.net.

 klose at openriverbed dot de
12-Mar-2008 02:01
An tested example with static class.
Initiated from maria at junkies dot jp comment.
<?php
/**
 * PHP session handling with MySQL-DB
 *
 * Created on 12.03.2008
 * @license    http://www.opensource.org/licenses/cpl.php Common Public License 1.0
 */

class Session
{
    /**
     * a database connection resource
     * @var resource
     */
    private static $_sess_db;

/**
 * Open the session
 * @return bool
 */
public static function open() {

    if (self::$_sess_db = mysql_connect('localhost',
                                        'root',
                                        '')) {
        return mysql_select_db('my_application', self::$_sess_db);
    }
    return false;
}

/**
 * Close the session
 * @return bool
 */
public static function close() {
    return mysql_close(self::$_sess_db);
}

/**
 * Read the session
 * @param int session id
 * @return string string of the sessoin
 */
public static function read($id) {
    $id = mysql_real_escape_string($id);
    $sql = sprintf("SELECT `session_data` FROM `sessions` " .
                   "WHERE `session` = '%s'", $id);
    if ($result = mysql_query($sql, self::$_sess_db)) {
        if (mysql_num_rows($result)) {
            $record = mysql_fetch_assoc($result);
            return $record['session_data'];
        }
    }
    return '';
}

/**
 * Write the session
 * @param int session id
 * @param string data of the session
 */
public static function write($id, $data) {
    $sql = sprintf("REPLACE INTO `sessions` VALUES('%s', '%s', '%s')",
                   mysql_real_escape_string($id),
                   mysql_real_escape_string(time()),
                   mysql_real_escape_string($data)
                   );
    return mysql_query($sql, self::$_sess_db);
}

/**
 * Destoroy the session
 * @param int session id
 * @return bool
 */
public static function destroy($id) {
    $sql = sprintf("DELETE FROM `sessions` WHERE `session` = '%s'", $id);
    return mysql_query($sql, self::$_sess_db);
}

/**
 * Garbage Collector
 * @param int life time (sec.)
 * @return bool
 * @see session.gc_divisor      100
 * @see session.gc_maxlifetime 1440
 * @see session.gc_probability    1
 * @usage execution rate 1/100
 *        (session.gc_probability/session.gc_divisor)
 */
public static function gc($max) {
    $sql = sprintf("DELETE FROM `sessions` WHERE `session_expires` < '%s'",
                   mysql_real_escape_string(time() - $max));
    return mysql_query($sql, self::$_sess_db);
}
}

//ini_set('session.gc_probability', 50);
ini_set('session.save_handler', 'user');

session_set_save_handler(array('Session', 'open'),
                         array('Session', 'close'),
                         array('Session', 'read'),
                         array('Session', 'write'),
                         array('Session', 'destroy'),
                         array('Session', 'gc')
                         );

if (session_id() == "") session_start();
//session_regenerate_id(false); //also works fine
if (isset($_SESSION['counter'])) {
    $_SESSION['counter']++;
} else {
    $_SESSION['counter'] = 1;
}
echo '<br/>SessionID: '. session_id() .'<br/>Counter: '. $_SESSION['counter'];

?>

And don't miss the table dump. ^^

CREATE TABLE IF NOT EXISTS `sessions` (
  `session` varchar(255) character set utf8 collate utf8_bin NOT NULL,
  `session_expires` int(10) unsigned NOT NULL default '0',
  `session_data` text collate utf8_unicode_ci,
  PRIMARY KEY  (`session`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;

So, if I use this, all I need to do is this?

$session = new Session();

Then I can use it as normal?

And do I access it like this?

$_SESSION["username"]

or this?

$session["username"]

And does everything work just the same as a regular session from here on out (i.e. registering, start, destroy session), its just that I'm storing the session info in my own DB instead of allowing PHP to do so?

bradgrafelman

You don't create an instance of that class; all of the methods that PHP needs to access are static methods.

Once you call the session_set_save_handler() function with the appropriate parameters, you simply use sessions as you normally would, e.g. calling [man]session_start/man, accessing/changing data in the $_SESSION superglobal array, etc. etc.

quark76

bradgrafelman;10956374 wrote:
You don't create an instance of that class; all of the methods that PHP needs to access are static methods.

Once you call the session_set_save_handler() function with the appropriate parameters, you simply use sessions as you normally would, e.g. calling [man]session_start/man, accessing/changing data in the $_SESSION superglobal array, etc. etc.

Ok, so you're saying that I do nothing since it is already taken care of it in the class. So, I'm assuming I just put it in a separate file & use include and then do session start.

Is there a way I can set my own SID?

bradgrafelman

Well there's [man]session_id/man, though I don't know why you would want to do this.

quark76

bradgrafelman;10956394 wrote:
Well there's [man]session_id/man, though I don't know why you would want to do this.

I'd like to make it a longer string. I've tried both these functions:

session.hash_function
session.hash_bits_per_character

I can only get it one character longer. I have a function to create a random string of #'s & letters. Now I just need to put it as my session_id generator. I don't know how to do that. I understand I use session_id(), but where would I call this in the class? Or is that even necessary?

Thanks