I'm currently working on a new website for a client that stores personal information and credit card info on the site. As such, security is a big concern for me. This is the first site I've built that has sensitive information on it, and so I'm not very familiar with the whole subject.
The site manages users using sessions. However, I'm finding it hard to keep the sessions secure. I want to implement a User Agent check that checks the browser every time a page is loaded. This way, when I copy the session ID into a manually-created cookie on my 'attacker' browser, the server will detect the user agent change (from Chrome to Firefox) and reject the session.
My question is, if I do implement this check to run EVERY time a page is loaded, do I run the risk of logging out my legitimate user? Is there any reason that the true user would change their user agent between pages? And if so, how likely is this to happen? Likely enough that I should abandon this approach entirely, or is it an acceptable risk?
EDIT: The cookies are set to expire as soon as the browser is closed. Also, the user agent that is set upon login is stored in the session and is hashed after a salt is appended to it.
Yes, the user-agent string can change. Session cookies often last longer than an individual browser session. If a user upgrades their browser (very common these days with the auto-updaters in Chrome and Firefox) then a different version will appear in the user-agent string.
In addition, some plugins are reported in the user-agent string, causing it to change if a user installs one.
Your user-agent string check doesn't really offer any additional security. I don't recommend it.
Related
So I am working on a site that requires a login against an MySQL database with "remember me" functionality. I got that fine (based off of Jaspan's page). What I am a little fuzzy on is the use of sessions to track user movement. I'm not worried about their history on the site. I've looked around on the interwebs and especially SO, but I haven't really found what I'm looking for. Perhaps I'm just not using the right keywords to search. Anyway... as I said, I have the actual login process, and a cookie is set up with the triplet for the "remember me" functionality. But how do I track the authenticated status while the user is browsing the website? The logged-in user should be able to browse the secure area of the website, or the scripts should output special data, without the website having to check the "remember me" triplet against the database every page load. I thought to do something like $_SESSION['authed']==true, and every page load would check the session value, but I suspect that isn't a very secure way to go about this. I have observed that if I set $_SESSION['authed']==true, close the browser, open the browser, and go to the site again, it still says authed=true. Now, I DO understand that the session variables are stored on the webserver, not in the browser's cache. However, I can't see the big picture enough to know the right way to go about this.
I thought to do something like $_SESSION['authed']==true, and every page load would check the session value
Yes, that's what you do.
but I suspect that isn't a very secure way to go about this
It's perfectly fine. You establish a session, which means you send a unique cookie to the user. That is your security. The fact that you have a session at all is your security. Then you simply record the fact whether the user is "logged in" or not in that session.
I have observed that if I set $_SESSION['authed']==true, close the browser, open the browser, and go to the site again, it still says authed=true.
Yes, cookies don't necessarily expire when the browser is closed. Each cookie has a specified expiration time, they can persist however long you want. Even cookies without an expiration time aren't necessarily immediately discarded when the browser is closed. That may have been the default behaviour of browsers a few years ago, but isn't necessarily true anymore.
In my login code on my website, if the password & username are correct, I set a cookie to keep the user logged in.
I just heard from a user that he doesn't accept cookies automatically through his browser, and that that prevents him from logging in. That rhe cookie is not set.
Is there an easy way to counter that?
Tell me if you need the code I use.
It is possible to get this to work but often a real pain if you're using complex javascript/ajax.
In short, instead of storing the session id in a cookie, you embed it at the end of every link.
so
http://example.com/somepage.php
becomes
http://example.com/somepage.php?SessionId=ABC123
Unfortunately, while PHP can do this for you in some cases, it doesn't help with links you build yourself in javascript - and it only takes clicking a single link without the id to effectively log the user out
See this page for more information
As mentioned by Quentin in the comments, if you're not using a cookie to identify the browser which created the session, it's possible that sharing a link would share the session. This could be mitigated but not prevented by checking IP address/user agent but this would likely fail in large corporate environments with NAT and standard browsers
Pretty basic question here. In PHP, if the user's browser has cookies disabled, you cannot make use of both server cookies ($_SESSION) AND client cookies ($_COOKIE, setcookie) or only the latter are disabled?
Basically you can't make the user log in or do anything that requires a session, right?
Also, in which case would someone want to have cookies disabled?
Thanks!
Yes, it's true. Both sessions and normal cookies are normal cookies. If a user does not accept cookies, he cannot use any of the functionality enabled by them. Which means pretty much the whole internet would break for that user, which is why in this day and age there's virtually nobody who has cookies disabled entirely.
PHP has a built-in mechanism called transparent session ids, which automagically rewrites all links to contain the session id in a query parameter. I would not suggest using it, since session ids in the URL open up a whole new can of worms.
For user friendliness, I'd recommend you test whether the user has cookies enabled or not (set a cookie, redirect to the next page with a flag in the URL that cookies should be set, see if you get any cookies back) and if not, kindly advise the user to enable them.
You can track the user by $_GET.
Imagine that on every-single-page the user visits you pass a ?user_id=XYZ123 then you would have implemented a very similar server-identification. It has obvious disadvantages:
if you copy/paste a URL you'll give away your session_id
because of 1 session high-jack is even less tech savy
Why do users disable cookies?
Users tend to throw first and third party cookies all in the mix but they come from different breeds.
First party cookies are generally ok. When you visit Facebook it's expected that Facebook keeps a cookie to store your interactions with the server.
What it's not expected is that the advertising company that has adds both on Facebook and on eBay gets your cookie back and checks, ah, so this guy was on eBay looking for xyz so now that he's on Facebook I'm gonna show him up abc to make him buy etc etc...
I think you should read the session reference manual http://www.php.net/manual/en/session.idpassing.php
In short, if your server can't find session_id, he can not restore session. But you can use alternate ways to store session values. Or you can generate session_od base on user's client environment parameters.
I have a PHP app which requires log in, offers a log out option and force logs off users who have been inactive for X minutes.
But, if I log in, close my browser and re-open it, the $_SESSION variables still exists.
What's the general practise here? Should I want to prevent this and, if so, how?
Something in me just wants to treat closing the browser as logout ... on the one hand, it's a secure app (since it requires login) but a non-tech user might reasonably expect that if they close the whole browser then no one can see their private data. Otoh, if the browser crashes and the user restarts it, he might hope to pick up where he left off ...
What do others do?
PHP sessions work by saving a cookie to the user's browser containing the ID of the session on the server. Therefore PHP sessions work exactly like ordinary cookies do.
If you close your browser, cookies are persistent. The server doesn't know what instance of the browser the user is using, whether the browser has restarted, or even if the computer has restarted.
Providing a log-out button is the most usual practice here, but if for some reason you require the user to be logged out when the browser closes, you will have to implement something client-side, as the browser doesn't send any signal to the server when it closes.
If you are concerned about security - i.e. you are programming a highly secure application such as a payment gateway - you can follow the practice of bank websites or other payment gateways;
When the user returns to the site, they are still logged on, but when they try to perform any action that will affect the logged-in user, re-authenticate with another password screen, or ask for some memorable information.
This is a classic behavior, you can observe it on many sites, including Stack Overflow :)
Your session variable is bound to a cookie in the browser. If you want the user to really be logged off when the browser closes, sets the time of the session cookie to zero.
When you explicitly set a cookie, you can choose its expire time. When you're using session_start() to generate a session cookie, its expiration time is determined by the session.cookie_lifetime value in php.ini. If you set this to 0, session cookies will expire when the browser window is closed.
Is PHP sessions the same as cookies? I ask this because I'm writing a privacy policy and the site uses PHP sessions, MySQL, JQuery and CSS. If Session are not the same should I change or leave the cookies name?
Here is what I have so far.
Cookies - The Website uses "cookies," a technology that stores a small amount of information on a user's computer to permit the Website to recognize future visits using that computer. Cookies enhance the convenience and use of the Website. For example, the information provided through cookies is used to recognize you as a previous user of the Website (so you do not have to enter your personal information every time), offer personalized content and information for your use and otherwise facilitate your Website experience.
PHP sessions are stored, by default, in a temp directory on the webserver. The session id is stored in a cookie called PHPSESSID. By default, these are not tracking cookies and don't have to be persistent (e.g. they expire whenever you close your browser). So they are safe to use even in websites that have enforced privacy regs.
For instance, I worked for a major branch of the U.S. military and we used _SESSION's all the time, despite the U.S. government forbidding a great many types of cookies.
To make a session cookie non-persistent:
// Make the session cookie last for 24 hours.
ini_set('session.cookie_lifetime', 86400);
Sessions are stored in the server, and after an previusly set ammount of time, it dies, or in other words, its deleted. Sessions do not need permission from the user to create, as a matter of fact, php initializes a session for each new web request that arrives from an ip to the server.
Cookies, on the other hand, are data stored in the browser's data folder, and every user needs to authorize the site to use them, and of course, they are not shared, meaning that IE and Firefox cannot share a cookie.
An example would be to login in this site and next time you point your browser it will remember your credentials, but if you try to open it with IE, it won't know who you are, hence the fact that they don't share data.
Hope it helps
Best of luck!