Best IT Recipes

How secure are PHP session variables?

I have a login script that checks the username / password for the data in the 'user' table. In addition, I have a "roles" table that defines the level of access for this user. Assuming I am using secure login scripts, are there any security holes when simply completing an additional request when logging in successfully against the "roles" table to detect the user authorization level and store it in a session variable? Then the idea would be that on any page with mixed permissions, I could simply request a session variable to open the user authorization level.

Thank.

+47
security php
Jul 25 '09 at 3:20
source share
4 answers

Sessions are much safer than, say, cookies. But you can still steal the session, and thus, the hacker will have full access to what is in this session. Some ways to avoid this are IP checking (which works very well, but the fi value is very low and therefore not reliable in itself) and using nonce. Typically, with nonce, you have a โ€œtokenโ€ for each page, so that each page checks that the last page does not match what it stored.

There is a loss of convenience in any security audit. If you are checking IP addresses and the user is behind an intranet firewall (or any other situation that causes this) that does not support a fixed IP address for that user, they will have to re-authenticate each time they lose their IP address . With nonce, you always enjoy the โ€œClick Backโ€ overload.

But with cookies, a hacker can steal a session simply by using fairly simple XSS methods. If you store the user session ID as a cookie, they are also vulnerable to this. Thus, even though the session is only permeable to those who can perform hacking at the server level (which requires a much more complex method and usually some privileges if your server is secure), you still need some additional level Checks for every script request. You should not use cookies and AJAX together, as this facilitates a complete move to the city if this cookie is stolen, since your ajax requests may not receive security checks for each request. For example, if a page uses nonce, but the page never reloads, the script can only check for this match. And if the cookie supports the authentication method, I can now go to the city, doing my evil, using the stolen cookie and the AJAX hole.

+69
Jul 25 '09 at 3:54
source share

Only scripts running on your server have access to the _SESSION array. If you define the scope of a session cookie, you can even restrict it to a specific directory. The only way that someone other than you could get session data is to enter some PHP code on one of your pages.

As for the system you are using, this is acceptable and is a good way to save database calls, but keep in mind that the user will need to log out and log back in for any authorization changes. Therefore, if you want to block an account and this user is already registered, you cannot.

+15
Jul 25 '09 at 3:27
source share

It should be noted that in Apache, the PHP $ _SESSION super switch is accessible through virtual hosts. Consider this scenario:

  • Your server hosts two domains, example.com and instance.org. PHP sessions are stored in cookies that are limited to a domain.
  • The user logs on to example.com and receives a session ID. Example.com sets some session variables (which are stored on the server, not in the cookie).
  • A third party intercepts the cookie during transmission and passes it to instance.org. Instance.org now has access to example.com session variables.

This is not such a big problem when you control all the virtual hosts on your server, but if you are on a shared machine, this is problematic.

+13
Nov 30 '09 at 18:00
source share

If you rely on a value stored inside a session variable to define roles, you lose the ability to change the value in the database and reflect it in relation to the current user session. If you look at the Zend Framework, there is a clear distinction between authentication and authorization and clearly formulated warnings in the manual to keep only a minimal amount of data in a session (ie "Yup, user 37 and he is logged in").

As for "security" - if you are not on a common host, you have nothing to worry about. On a properly configured shared host, they should also be relatively secure.

+2
Jul 25 '09 at 19:06
source share


More articles:


All Articles