What is the best way to check in Symfony2 if a session (not the current) by sessionID is expired.
I have a database e.g. id|sessionId|someData and I want to create a command that remove all rows which sessions are expired.
If you're using the default symfony session handling which relies on php-sessions you're out of luck.
As soon as your session is expired you get a new one.
However if you access to the session save path you might try the accepted answer in this question:
Check if PHP session_id is in use
Related
I ned to set a session per every user, so when the user log ou from his account and login again in another account the old session will not be shown but the new that related to his new account will be shown
I am using the normal method in laravel to do it
Session::put('key', 'value');
But the problem as explained is that the session will br shown in all user using this computer
Session ids are supposed to be non-guessable. You're going to have to resolve (attempted) duplicates serverside. If you search through every existing session for a match then your not going to be able to scale this / its going to be very slow. That means you need an access path to the session data based on the username AS WELL AS the session id.
There are lots of solutions to this. I don't think any of them are exposed directly in Laravel.
You need to deal with maintaining the mapping directly in the session management - so you will need a custom session handler. The session handler deals with serialized data - so you need to think about how the username is resolved within the session handler. You could put it in the session and deserialize the data again the handler, or read the value from a global variable. Or you could write a prototytype of the session into a database with the sessionid as the primary key and the username as an indexed lookup before the session close handler is called.
Another approach would be to store the session as the username rather than using the session id. You still need to protect the username though and avoid session fixation, hence you would need to explicity generate the session id using a mechansim where only you can recover the username from it, e.g.
$data=array($username, openssl_random_pseudo_bytes(16));
$sessionid = encrypt(serialize($data), $your_secret_key);
(You still need to write your own session handler for this).
I am currently searching for a way to implement single session in symfony 3.3, what I want is that if I log in from one browser then log in from another browser on the same user, I want to be logged out from the first session.
A non simple way would be to store the latest session id in the user entity and then query that on every request, if the session id is not the same and older then the user gets redirected to the logout route.
I was wondering if anyone knows a simpler way to implement this which might not be in the symfony documentation.
Thanks.
I solved this by using redis cache instead, I saved the user id as a key and the session id as the data inside the key. Then on every request I searched in redis if there was a key for the current user. If not then I created a key for that user with the session id as the data. If yes then I checked if the session id inside the key was the same as the current session id. If it was the same then I just continued normally, if not I deleted the old session from the session handler and put the new session inside the key.
I also use redis as session handler so I just called destroy on the old session id.
So I was thinking about using CodeIgniter to build an application as to where my clients can register etc. However, I've been looking at the documentation about the sessions, and I was a little confused as to how the cookie data/session data is validated. Could somebody please clear this up for me? I will give my interpretation of how I think it works.
The user logs in -> Session is created and stored session id and email in cookie -> On each page load the cookie data is checked in the database to confirm users session id matches their user agent, ip and perhaps other things?
I'm sorry as to if that is horribly wrong, but I'm having a hard time understanding the logic with securing a session. Thank you for your help!
This is straight from Codeigniter manual:
http://ellislab.com/codeigniter/user-guide/libraries/sessions.html
How do Sessions work?
When a page is loaded, the session class will check to see if valid session data exists in the user's session cookie. If sessions data does not exist (or if it has expired) a new session will be created and saved in the cookie. If a session does exist, its information will be updated and the cookie will be updated. With each update, the session_id will be regenerated.
It's important for you to understand that once initialized, the Session class runs automatically. There is nothing you need to do to cause the above behavior to happen. You can, as you'll see below, work with session data or even add your own data to a user's session, but the process of reading, writing, and updating a session is automatic.
I have some questions about the mechanism of session in code igniter framework:
1. isn't it exactly like working with a cookie? because what I have seen is that all the session data is send back as a cookie to the browser. so when another request is made then all the data is sent back with the cookie session.
2. the session data is sent back to the browser. even though it is encrypted, I can still identify all the session items, so isn't it easy to change the encrypted value of that item to an encrypt value, like changing an item called loged_in from false to true
3. when saving session data in a database, is the session data automatically deleted?
4. why is it written in code igniter documentation that "Session IDs can never be updated, they can only be generated when a new session is created". so when regenerating the session id in the cookie session how will we be able to compare it to the session id that is stored in the database?
The Session class does not utilize native PHP sessions. CI session library generates cookie when you initialize session in CodeIgniter. So actually sessions in CodeIgniter is a Cookie.
Setup Encryption Key on your config.php file and I'm sure that will resolve an issue you are having. Even CI session document says - "Even if you are not using encrypted sessions, you must set an encryption key in your config file which is used to aid in preventing session data manipulation."
I personally never tried DB Session but YES CI deletes expired sessions stored in DB. CI Documentation says - "The Session class has built-in garbage collection which clears out expired sessions", which explains pretty much about this question.
CI has taken care of this situation. When regenerating session id, CI replaces old session id stored in DB with new session id. If you can take a look in to Session library; check for sess_update() method for more details and you can see how CI is updating new session id in DB.
Since keeping a session active for a long period doesn't seem very reliable (when using session_set_cookie_params), it seems like the next best option is to store a cookie along with the session.
When the user logs in, I create a random hash and store it in a database table beside their user id. I then create a cookie and store the hash within it.
If the cookie exists, I extract the hash, do a database search for the user id and automatically log the user in.
If on an open WIFI network, XSS attacked or have a virus/malware, what stops this cookie from being copied and used by some hacker?
What is the best way to keep a session active forever, or until the user logs out?
to safeguard cookie from xss set HttpOnly flag in cookie. to prevent sniffing use secure ssl connection and set the cookie secure flag too.
Something we do is we use a custom session handler, and then use a memcached/mysql storage to backend it. Since the session cookies can be set to a longer timeout, we load the data from memcached. if it's not in memcached we load it from the database. If it's in neither, it's a new session. This way you don't have the generate new session IDs (PHP still handles that) but you do have to manage the data inside the sessions.