store | blogs | forums | twitter | facebook | wiki | mailing lists | downloads | support portal
Atomic Secure Linux
It is currently Thu Apr 17, 2014 8:28 am

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 4 posts ] 
Author Message
 Post subject: securing sessions ?
Unread postPosted: Fri May 18, 2012 12:11 pm 
Offline
Forum Regular
Forum Regular

Joined: Sun Mar 29, 2009 6:52 pm
Posts: 350
Hello guys.

I am developing a php application. I validate users and keep many things stored in session.
Its the first time I do such a thing and I was wondering... Is there anyway someone can mess up with my sessions which are stored inside the server ? I dont use coocies at all for improved security. I should also note that I keep session files inside my private folder with 700 permission. But I wonder if someone could somehow inject the session files somehow...

Thanks

_________________
Hello IT.
Phone : Blah Blah ....
Have you tried turning it on and off again ?
Phone : Blah Blah ....
....
I'm sorry, are you from the Past ?!
http://www.youtube.com/watch?v=-E4fm4Wqego


Top
 Profile  
 
 Post subject: Re: securing sessions ?
Unread postPosted: Mon May 21, 2012 1:04 pm 
Offline
Forum Regular
Forum Regular

Joined: Mon Apr 10, 2006 12:55 pm
Posts: 669
I assume you're talking about session poisoning. It's possible because PHP lets the end user set their own session by declaring PHPSESSIONID=MYSESSIONID and, thus, your session_id() would return "MYSESSIONID", instead of a random hash. I wouldn't worry about using cookies. There's no real advantage and, IMO, URL based tracking draws more attention to the session (plus you run the risk that someone shares the URL socially and now you have two users with the same session).

Because users don't have any innate way to write what goes into the session itself (unless you have an insecure app), I wouldn't worry too much about that either. Session files are not executable.

_________________
"Its not a mac. I run linux... I'm actually cool." - scott


Top
 Profile  
 
 Post subject: Re: securing sessions ?
Unread postPosted: Mon May 21, 2012 7:55 pm 
Offline
Forum Regular
Forum Regular

Joined: Sun Mar 29, 2009 6:52 pm
Posts: 350
Highland wrote:
I assume you're talking about session poisoning. It's possible because PHP lets the end user set their own session by declaring PHPSESSIONID=MYSESSIONID and, thus, your session_id() would return "MYSESSIONID", instead of a random hash. I wouldn't worry about using cookies. There's no real advantage and, IMO, URL based tracking draws more attention to the session (plus you run the risk that someone shares the URL socially and now you have two users with the same session).

Because users don't have any innate way to write what goes into the session itself (unless you have an insecure app), I wouldn't worry too much about that either. Session files are not executable.


Hello. Thank you very much for answering !

I don't show the session id in the address bar. I guess this isn't a problem for me right ?

The previous part I havent understood it yet ! :(
I didn't want to use cookies in the first place because many browsers or freaked out users don't work with cookies. Plus I read many topics on google that sessions are supposed to be by nature more secure than cookies since they rely on the server side and a user cannot see them or edit them.
So a user can actually mess up "edit" a session file somehow ?

_________________
Hello IT.
Phone : Blah Blah ....
Have you tried turning it on and off again ?
Phone : Blah Blah ....
....
I'm sorry, are you from the Past ?!
http://www.youtube.com/watch?v=-E4fm4Wqego


Top
 Profile  
 
 Post subject: Re: securing sessions ?
Unread postPosted: Fri Jun 01, 2012 10:36 am 
Offline
Forum Regular
Forum Regular

Joined: Mon Apr 10, 2006 12:55 pm
Posts: 669
Not that I am aware of. Let's say that you're running an insecure app that lets a user write into their session directly. Even if they could do that, there's no way to execute your session file.

Again, cookies avoid using URL sessions and URL sessions are easily shared. I don't know that I've ever seen any users "freak out" at cookies. They're invisible to most users.

_________________
"Its not a mac. I run linux... I'm actually cool." - scott


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 4 posts ] 

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group