Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Westi on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Php session security 1

Status
Not open for further replies.
theEclipse

theEclipse

Programmer
Dec 27, 1999
1,190
US
I am writing a script base that is using sessions and I find myself wondering about the security of the session itself.

The user login system is database driven and a session is started after authentication. My question is what should I store in the $_SESSION to keep the user statistics. As of now I am storing the user name and their unique database id.

The thing that I dont want is for a user to somehow bubble up from an user-level login to an admin-level.

Should I be encrypting or hashing the information I am storing in the session?



Robert Carpenter
"Disobedience to conscience is voluntary; bad poetry, on the other hand, is usually not made on purpose." - C.S. Lewis (Preface to Paradise Lost)
ô¿ô
 
Sort by date Sort by votes
I don't think it's necessary to hash your session data. Since only the session ID is stored on the client, and all the actual session data is stored on the server, your users will not have acess to the session data.



Want the best answers? Ask the best questions!

TANSTAAFL!!
 
Upvote 0 Downvote
If you are concerned about session security on the server, you can use a custom database session handler to store your session information. That way you can store the session information in the database any way you like, even encrypted (but a major speed hit if you do that)

 
Upvote 0 Downvote
Unless we are expecting a hacker to access the server-stored session data directly, I don't see where encryption is going to do all that much.

And anyone who is going to get to files that are stored outside your web site's document root is also going to be able to look at your scripts and get your decrypt key.

I don't see where encryption will increase security. The same for storing the data in a database server.

Want the best answers? Ask the best questions!

TANSTAAFL!!
 
Upvote 0 Downvote
The reason I am abit worried about security is because I am on a shared server--and they sell shell accounts.

btaber-if insterting the data into a mysql table and then destroying the session so that no session data is stored in the server, how would I determine what key indexes the session data in order to pull the data back out?

Would you unset all of the session variables so that they arent stored but leave the session intact so the SID is the database key?

Robert Carpenter
"Disobedience to conscience is voluntary; bad poetry, on the other hand, is usually not made on purpose." - C.S. Lewis (Preface to Paradise Lost)
ô¿ô
 
Upvote 0 Downvote
For implementation of a database session system read faq434-2037
The shell accounts probably run with a jailshell.
 
Upvote 0 Downvote
DRJ-
thanks. I looked over that FAQ and it is not a workable fix for my worries. The reason is that in order to register the session handlers I would need to be able to modify my php.ini file and set session.save_handler = user.

And the tricky thing is that I dont think that this is one of those things that I can set with ini_set() (or whatever its called...) because the point at which php would test the value and restore the session information is before the script executes.

Unless php doesnt check the browsers request for the session cookie until session_start() is called, in which case the use of ini_set() would work as long as I put it above session_start().

Robert Carpenter
"Disobedience to conscience is voluntary; bad poetry, on the other hand, is usually not made on purpose." - C.S. Lewis (Preface to Paradise Lost)
ô¿ô
 
Upvote 0 Downvote
A few things:

1. PHP doesn't check session data until session_start() is called.
2. The ini value can be set at run-time. There is no need to edit php.ini itself.

Here's an example (from code I use with a server farm):

Code: 
###### BEGIN session initialization ############
# set the ini value to have user handled session
ini_set('session.save_handler','user');
# set garbage collection probability
ini_set('session.gc_probability',5);
#
# register above functions as the session handlers
#
session_set_save_handler(
        "sess_open",
        "sess_close",
        "sess_read",
        "sess_write",
        "sess_destroy",
        "sess_gc"
);
#
# disallow proxy/client caching
#
session_cache_limiter('nocache');
#
# automatically initiate a session
#
session_start();
 
Upvote 0 Downvote
DRJ-

Thanks for your help. It should be only time before I get it up and running.

I appreciate your help.

Robert Carpenter
"Disobedience to conscience is voluntary; bad poetry, on the other hand, is usually not made on purpose." - C.S. Lewis (Preface to Paradise Lost)
ô¿ô
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

cdlvj
  • Question
PHP Debugging
Replies
1
Views
268
cdlvj
cdlvj
W
  • Question
how to send checked row data in php
Replies
0
Views
120
wiltang2004
W
SashaBuilder3
  • Locked
  • Question
import CSV file into MySql table in PhpMyAdmin
Replies
0
Views
446
SashaBuilder3
SashaBuilder3
PeDa
  • Locked
  • Question
Unwanted spaces in php HTML mail 1
Replies
4
Views
370
PeDa
PeDa
Mandy_crw
  • Locked
  • Question
How to send sms in PHP using usb gsm modem?
Replies
1
Views
393
vishvajit
vishvajit

Part and Inventory Search

Sponsor

Back
Top