Topic awaiting preservation: Security questions regarding sessions (Page 1 of 1) $Pages that link to <a href="https://ozoneasylum.com/backlink?for=12872" title="Pages that link to Topic awaiting preservation: Security questions regarding sessions (Page 1 of 1)" rel="nofollow" >Topic awaiting preservation: Security questions regarding sessions <span class="small">(Page 1 of 1)</span>\$

Pugzly Paranoid (IV) Inmate From: 127.0.0.1 Insane since: Apr 2000	posted 08-29-2003 06:43 Okay, I think I've got everything covered....... I wrote a PHP based contact management application that uses sessions. Each user can log in, change their password, view/change their contact info, and export contact info for any other user to Outlook (vCard) or a full list to Excel (csv). ALL of these features require that they be logged in. What I do is authenticate via HTTP authentication to a MySQL database. Once authenticated, I start the session, and register the username and a hash of the password to the session. On subsequent pages, I check for those variables, and, if they exist, continue (under the 'assumption' that they are authenticated). If they are not present, I take them back to the login page. MySQL queries are built around the session data, so if it's bogus, they won't get any returns.... I use $_SESSION['myvariable'] for the variable format. I'm curious as to if this should be considered secure, or if I should be doing something differently/additionally. Currently, everything is working fine. And, since I'm using an MD5 hash of the password (both in the session variable and in the db), believe that I should be ok. I intend on adding more functionality to this application, but want to make sure I'm all set with authentication before I continue. I'd appreciate any comments, questions, death threats.....
mr.maX Maniac (V) Mad Scientist From: Belgrade, Serbia Insane since: Sep 2000	posted 08-29-2003 08:29 I suggest you to read the following document: http://www.acros.si/papers/session_fixation.pdf
butcher Paranoid (IV) Inmate From: New Jersey, USA Insane since: Oct 2000	posted 08-29-2003 15:06 Thanks for the link mr.maX. I won't claim to understand everything they had in this article, but here's what I took from it. If you set up your web aplications to issue a sessid after the user has given username/password credentials and not accept one before that AND control the length of the sessions with an absolute time out that you should be pretty safe from this type of attack. Am I oversimplifying this because of my ignorance of what's really happening from the attackers point of view? -Butcher-
Pugzly Paranoid (IV) Inmate From: 127.0.0.1 Insane since: Apr 2000	posted 08-29-2003 15:59 If that's the case, how do you configure to NOT accept one before that? Just curious, as I need to make this fairly secure. No e-commerce or anything like that, but personal data....
Pugzly Paranoid (IV) Inmate From: 127.0.0.1 Insane since: Apr 2000	posted 09-04-2003 15:12 I'm still a little confused as to how to NOT accept a session id before I start one. Am I missing the boat?
Petskull Maniac (V) Mad Scientist From: 127 Halcyon Road, Marenia, Atlantis Insane since: Aug 2000	posted 09-04-2003 17:24 ...most of this thread is over my head, but I've very interested in how this works out... where are these people? Code - CGI - links - DHTML - Javascript - Perl - programming - Magic - http://www.twistedport.com ICQ: 67751342

Topic awaiting preservation: Security questions regarding sessions (Page 1 of 1) $Pages that link to <a href="https://ozoneasylum.com/backlink?for=12872" title="Pages that link to Topic awaiting preservation: Security questions regarding sessions (Page 1 of 1)" rel="nofollow" >Topic awaiting preservation: Security questions regarding sessions <span class="small">(Page 1 of 1)</span>\$

Pugzly
Paranoid (IV) Inmate

From: 127.0.0.1
Insane since: Apr 2000

posted 08-29-2003 06:43

Okay, I *think* I've got everything covered.......

I wrote a PHP based contact management application that uses sessions. Each user can log in, change their password, view/change their contact info, and export contact info for any other user to Outlook (vCard) or a full list to Excel (csv). ALL of these features require that they be logged in.

What I do is authenticate via HTTP authentication to a MySQL database. Once authenticated, I start the session, and register the username and a hash of the password to the session. On subsequent pages, I check for those variables, and, if they exist, continue (under the 'assumption' that they are authenticated). If they are not present, I take them back to the login page. MySQL queries are built around the session data, so if it's bogus, they won't get any returns....

I use $_SESSION['myvariable'] for the variable format.

I'm curious as to if this should be considered secure, or if I should be doing something differently/additionally. Currently, everything is working fine. And, since I'm using an MD5 hash of the password (both in the session variable and in the db), believe that I should be ok.

I intend on adding more functionality to this application, but want to make sure I'm all set with authentication before I continue.

I'd appreciate any comments, questions, death threats.....

mr.maX
Maniac (V) Mad Scientist

From: Belgrade, Serbia
Insane since: Sep 2000

posted 08-29-2003 08:29

I suggest you to read the following document: http://www.acros.si/papers/session_fixation.pdf

butcher
Paranoid (IV) Inmate

From: New Jersey, USA
Insane since: Oct 2000

posted 08-29-2003 15:06

Thanks for the link mr.maX.

I won't claim to understand everything they had in this article, but here's what I took from it.

If you set up your web aplications to issue a sessid after the user has given username/password credentials and not accept one before that AND control the length of the sessions with an absolute time out that you should be pretty safe from this type of attack.

Am I oversimplifying this because of my ignorance of what's really happening from the attackers point of view?

-Butcher-

Pugzly
Paranoid (IV) Inmate

From: 127.0.0.1
Insane since: Apr 2000

posted 08-29-2003 15:59

If that's the case, how do you configure to NOT accept one before that? Just curious, as I need to make this fairly secure. No e-commerce or anything like that, but personal data....

Pugzly
Paranoid (IV) Inmate

From: 127.0.0.1
Insane since: Apr 2000

posted 09-04-2003 15:12

I'm still a little confused as to how to NOT accept a session id before I start one. Am I missing the boat?

Petskull
Maniac (V) Mad Scientist

From: 127 Halcyon Road, Marenia, Atlantis
Insane since: Aug 2000

posted 09-04-2003 17:24

...most of this thread is over my head, but I've *very* interested in how this works out...

where are these people?

Code - CGI - links - DHTML - Javascript - Perl - programming - Magic - http://www.twistedport.com
ICQ: 67751342