I ned to set a session per every user, so when the user log ou from his account and login again in another account the old session will not be shown but the new that related to his new account will be shown
I am using the normal method in laravel to do it
Session::put('key', 'value');
But the problem as explained is that the session will br shown in all user using this computer
Session ids are supposed to be non-guessable. You're going to have to resolve (attempted) duplicates serverside. If you search through every existing session for a match then your not going to be able to scale this / its going to be very slow. That means you need an access path to the session data based on the username AS WELL AS the session id.
There are lots of solutions to this. I don't think any of them are exposed directly in Laravel.
You need to deal with maintaining the mapping directly in the session management - so you will need a custom session handler. The session handler deals with serialized data - so you need to think about how the username is resolved within the session handler. You could put it in the session and deserialize the data again the handler, or read the value from a global variable. Or you could write a prototytype of the session into a database with the sessionid as the primary key and the username as an indexed lookup before the session close handler is called.
Another approach would be to store the session as the username rather than using the session id. You still need to protect the username though and avoid session fixation, hence you would need to explicity generate the session id using a mechansim where only you can recover the username from it, e.g.
$data=array($username, openssl_random_pseudo_bytes(16));
$sessionid = encrypt(serialize($data), $your_secret_key);
(You still need to write your own session handler for this).
Related
I need to save payment data in DB. So one of the ways is to store the data into session and in saving part do the rest.
I save it like this:
$request->session()->put('paymentData', $request->all());
And then in another controller I call the same session, do some things and then remove the session:
$data = $request->session()->get('paymentData', 'default');
// do some DB storing
// delete session
$request->session()->forget('paymentData');
My question is, if two users are doing payments at same time. Can it happen that they mix these sessions because they will access it under the same name paymentData? Session will be stored in file in storage\session. Or Laravel have some method to distinguish these two Sessions even though they have the same name/key?
Sessions are created per browser session. The Session instance is accessed by a specific session ID. The browser keeps the session ID in a cookie and sends it every time it makes a request, so the server knows which session to use for that request.
What you put within the session can be duplicated no problem - other users cannot see that data (unless they somehow obtain the session ID by a browser attack).
I use php-sessions to check if users are logged in to my app. Is it significantly better for performance than just keeping the user id in a session and checking against the database if the user is logged in instead?
If the password changes or I want to block/log out a user it is easy to just change the database record, but when it lives in a session, can I do that? How?
You can use both.
Use the session variable as a first check, so that you immediately reject any request where the session variable is not set. This saves doing a costly database check for random door-knocking requests.
But if it's set, you still have to do a database check to see if the user's login session is still valid. When a user logs in, create a random token and store it in a session variable and the database. When processing a new request, check if the session variable matches what's in the DB. If an admin wants to force a user to be logged out, they simply invalidate this database record.
I use php-sessions to check if users are logged in to my app
I'm not sure exactly what that looks like - but it sounds horrendous. Either you've broken the session security model or you must be brute-forcing the session data every time you want to find out whom is logged in. Certainly a requirement to maintain a list of active sessions and user identifiers would be best implemented piggy-backed on a custom session handler (for the purposes of triggering - not for a common storage substrate) but you seem to be implying that you you are not doing this.
If the password changes
You cannot keep the password used to authenticate the session in the session.
I have some questions about the mechanism of session in code igniter framework:
1. isn't it exactly like working with a cookie? because what I have seen is that all the session data is send back as a cookie to the browser. so when another request is made then all the data is sent back with the cookie session.
2. the session data is sent back to the browser. even though it is encrypted, I can still identify all the session items, so isn't it easy to change the encrypted value of that item to an encrypt value, like changing an item called loged_in from false to true
3. when saving session data in a database, is the session data automatically deleted?
4. why is it written in code igniter documentation that "Session IDs can never be updated, they can only be generated when a new session is created". so when regenerating the session id in the cookie session how will we be able to compare it to the session id that is stored in the database?
The Session class does not utilize native PHP sessions. CI session library generates cookie when you initialize session in CodeIgniter. So actually sessions in CodeIgniter is a Cookie.
Setup Encryption Key on your config.php file and I'm sure that will resolve an issue you are having. Even CI session document says - "Even if you are not using encrypted sessions, you must set an encryption key in your config file which is used to aid in preventing session data manipulation."
I personally never tried DB Session but YES CI deletes expired sessions stored in DB. CI Documentation says - "The Session class has built-in garbage collection which clears out expired sessions", which explains pretty much about this question.
CI has taken care of this situation. When regenerating session id, CI replaces old session id stored in DB with new session id. If you can take a look in to Session library; check for sess_update() method for more details and you can see how CI is updating new session id in DB.
I am a newbie to php.
I just learned that you can create a session variable for a user after his login such as
$_SESSION['id']=****some value(say 3)******;
and this session variable is maintained as long as he doesn't log out(i.e. you clear this session variable using session_destroy).
Now , I have a confusion that if another user logs in then won't this id variable be overwritten thus logging the previous user out?
If this is true ,then what can I do to resolve it?
PHP sessions are tied to a user by a unique (random) ID string, generated the first time you invoke session_start() for a user. That ID is stored in the client browser as a cookie (or possibly via hidden form fields/query parameters).
Even though $_SESSION is used throughout the code, the CONTENTS of that $_SESSION array are tied to a particular user via that ID string. That means if I hit your site, $_SESSION will contain my details. If you hit your site, $_SESSION will contain your details.
There should be no practical way for my details to "leak" in your session, or vice versa. Destroying my session will not destroy yours, because yours is a completely different session, with a different ID.
All sessions are tied to a unique session ID. This is typically set inside the user's cookie.
I am trying to understand security when it comes to session cookies in php. I've been reading a lot about it, but I still lack the specifics. I need the basics, someone to show examples.
For example: Do I place session_regenerate_id() before every session cookie? What more shall I think about. I am asking about specifics in code - examples if possible.
Thank you very much.
I am using 4 session cookies after logging in.
SESSION "site_logged_in" = true
SESSION "site_user_nr" = the number of the user to access user_table_nr
SESSION "site_user_id" = the user's id to use when changing data in tables
SESSION "site_user_name" = the name of the user to display on page
When I check if the user has access, I check if all 4 cookies are set, and if site_logged_in is set to true.
Are there better ways? Do I have the completely wrong idea about this? Can users easily be hacked?
In fact you need to have only one session in your website. When you call session_start() session is being created on server and user automatically gets session cookie. Think like session is a some sort of container that placed on the server, you can put whatever you want in that container. However session cookie is just a key to access that container on the server.
It means that you can safely put some data in the $_SESSION and only the user that have cookie with matching session id can read it.
About users being hacked. Yes they can be hacked as long as you don't use HTTPS connection, because cookies and all other data is being transferred in clear text, so if someone intercept users cookie he can access the data stored in the session.
Always use a security token for logging users. This security token could be generated by using crypt(). After logging users in, change the security token periodically until they log out. Also keep the server backup of all the session variables including the security token (in a database). This would also help you to track user login history.
One more personal suggestion: Never use any data from the database as session variables without encrypting it with any of the hashing functions or functions like crypt().
The session information is stored server-side. What you should check is that they're logged in, and that they exists/can log in (in case of deletions/bans).
As you're checking they exist/can log in, you can pull the other information from the database such as name, nr and so on. All you really need is a key called 'logged_in_user' or something that stores the ID of the logged in user. As Alex Amiryan said, the cookie can be copied, so you might also want to store the IP address of the last accessing view in the session, so you can try to ensure security.