I've got a PHP login script that uses LDAP for authentication. As it is now, it just sets $_SESSION['user'] based on the result of the LDAP query. Obviously just checking that $_SESSION['user'] is set is not a good way to secure things as it can be easily guessed. What's a good way to make it secure?
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations IamaSherpa on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Session ID guessing prevention
- Thread starter MikeM2468
- Start date
- Thread starter
- #3
sure. but as you have controls over all the scripts that are run on your server, what's the problem?
if you are worried about multiple applications on the webserver reusing the 'user' session key, set a specific session name on the relevant application
i don't see any other method of skinning the cat as the 'value' of the session key is also arbitrarily set by scripts under your control.
you could decrease the chance of spoofing or multi-terminal access by
1. setting a timecode on each access and timing out the login if there is inactivity beyond x minutes
2. recording the IP address of each access and killing the session if the IP address changes.
if you are worried about multiple applications on the webserver reusing the 'user' session key, set a specific session name on the relevant application
Code:
session_name('my_hyper_secret_session');
if(session_id() == '' ): session_start(); else: die(); endif;i don't see any other method of skinning the cat as the 'value' of the session key is also arbitrarily set by scripts under your control.
you could decrease the chance of spoofing or multi-terminal access by
1. setting a timecode on each access and timing out the login if there is inactivity beyond x minutes
2. recording the IP address of each access and killing the session if the IP address changes.
- Thread starter
- #5
Maybe I'm overthinking it or I don't understand the limits. Can the session only be created on-server?
So this wouldn't work from some outside host:
So this wouldn't work from some outside host:
Code:
session_start();
$_SESSION['user'] = "test";
header("Location: [URL unfurl="true"]http://www.mydomain.com/secretscript.php");[/URL]No. you cannot execute php from the client side.
the session data resides only within the session store.
the session store resides (usually) in the file system of the server (you can configure this to store the data in a database instead).
the session is identified by the value of a cookie sent by the browser. no actual session data is stored on the client side.
the session data resides only within the session store.
the session store resides (usually) in the file system of the server (you can configure this to store the data in a database instead).
the session is identified by the value of a cookie sent by the browser. no actual session data is stored on the client side.
- Thread starter
- #7
unless that other server has write access to your server and had the same DNS host name so that the cookie would be in the same domain, I don't see the danger.
and if you have given a remote server write access then you either trust it or have compromised security already. so the point is moot.
and if you have given a remote server write access then you either trust it or have compromised security already. so the point is moot.
- Status
Similar threads
- Locked
- Question