Topic: Sessions SSL (Page 1 of 1)

Hey,

I've been doing a bit of reading on php sessions... I've got no problems understanding how to use sessions (how to set and get them etc.); I'm just not comfortable with security side of things. I've read a bit about checking IP's and what not along with the sessions but it's just not making a lot of sense to me as I'm just not sure what I'm even trying to stop/block... I do have an SSL set up and I'm wondering how much that covers as far as security goes with session handling... if everything is under the SSL do I even need to worry?

HTTP (and https) don't have state.
Every connection is a 'new connection'.

Now a session introduces such state, either via cookies, or by modifiying urls.

What you want to prevent is somebody 'stealing a session', ie. transfering the state to another machine.
(Note that the attacker needs to somehow capture the session identifier for this).

The most common approach to close that (tiny) loophole is to check the client's ip on each visit (and store the ip in your session data ).
But you'll lock out people who have 'round robin' proxys, and it won't help against an attacker who's using the same proxy, or can fake
the ip ( seldom, but possible).

In my mind, it usually isn't worth it. There are only three plausible ways to gain a session id
-by listening to network traffic. Those guys are the ones that could have established a transparent proxy for the user in the first place, so you won't gain anything by checking the ip.
-by a cross side scripting attack, getting the web browser to send the session id someplace else. Yes you could prevent that attack with ip checking, but you're better of preventing cross side scripting, as it also might be used to create sites that appear to come from you, but contain foreign content.
-by having a spy on the users host. Guess what, that spy can also act as a proxy for the attacker, same ip, you still haven't gained anything.


So long,

->Tyberius Prime

Cool TP, thanks for the info... So basically you don't think it's a worry at all... is bothering with an SSL worth anything as far as sessions go?

Bothering with encryption is always worth it .
(Well, you got to pay for a certificate, or SSL is not only useless, but actually creates a fake sense of security)

quote:

---

Well, you got to pay for a certificate, or SSL is not only useless, but actually creates a fake sense of security

---

lol... Thanks again for your help TP!