I have built multiple sites already using PHP that allow users to log in and keeps their user id and username in session variables. I keep learning more about security and I want to check up on what the safest way is to store user information.
I am currently working on a user account page which allows users to view and edit their profile information. Currently the site does a simple MySQL query that pulls the users information from the database based on what the id stored in the session is.
Example:
$getUserInfoSQL = $connection->prepare("SELECT * FROM Accounts WHERE id = ?");
$getUserInfoSQL->bind_param("s",$userid);
$getUserInfoSQL->execute();
I just want to make sure its not reckless to provide user information just based on the session variable userid.
You can easily use a session to store userdata, as the session contents are stored on YOUR server. However, storing userdata in a session can cause some problems:
If you e.g. ban a user, the session would still be active, and the user could browse your site, even though it is not in the database
If a user is logged in on two machines (e.g. a computer and smartphone), and changes userdata on one device, you'd have to update the session on the device they're changing the userdata from, but then the other session contains outdated info.
Server restarts can wipe session data
Using session variables should be safe enough. The session data in kept on the server and the only thing stored locally on the user's end is the session ID.
PHP stores the session data in a file on the server, but you can store it in the database as well. It's a bit faster and should be safer as well. — Check out the answer by RobertPitt at https://stackoverflow.com/a/2950504/859999 to find out how to store session data in the database.
Related
So I'm fairly new to PHP and was wondering what is secure and what isn't with the user sessions.
So theoretically I have this site with user registration that saves user data in MySQL. When the user logs in the site it takes the id that corresponds with the username and password given in and save it to the $_SESSION variable. The site later on uses the $_SESSION value to get data from the database.
I would assume this would,'t be considered a secure website just from this basic stuff, but can the user change the $_SESSION value to be another users id with ease, or something like that, or if it's not that easy, what do I have to pay attention to, to make it more secure?
Explanations of why this is secure or why it's not secure/some info in PHP session security would be of great help.
A session is stored on the server and cannot be accessed by the user. It is used to store information across the site such as login sessions.
The user cannot edit these values however the session's ID is stored on a computer through a cookie as a long random string. If an unauthorized user gains access to these strings it is possible for them to access the site
I'm currently using PHP sessions to keep track of user sessions, with a last-activity field for timeouts, an id field, and an account-type field. Currently, all of this information, as well as settings data, is pulled form a MySQL database and stored in the session once the user is logged in, and remains unchanged for the duration of the session.
The issue is that I wish to implement the ability for administrators to change users' account types remotely. If the user's account type is changed remotely while they're still logged in, the change in the database won't be reflected in the user's session variable.
One solution to this would be to add a logout_flag column to the users database table. When a user's account type is changed by an administrator, that user's entry in the database will have logout_flag set to 1. Then I can use a session script to check this entry on every page load, and log them out if it's set to 1.
My concern is that this would add too much overhead for the server; With hundreds of users logged in at the same time, this would amount to hundreds of MySQL queries per minute. Is this the ideal solution though?
Try with session_save_path(), with that function you can find the path where PHP saves all session files. You can delete the selected file with unlink() later.
Careful with this! If the path = the global /tmp directory. Other applications are using this directory also and you can break something.
You need to know also the session id of your user, maybe saving the token and the user id/name will help you to identify the correct session file.
I'm just wondering, for a PHP session, would it be preferred to store a session variable containing a logged in user's ID or username?
At the moment it stores the username, whereas would ID be safer because to potential "hackers", they may not know which user the ID correlates to?
PHP sessions work by giving an "opaque" cookie to users - that is, the cookie is just a number, and the actual data is stored on your server. When a user sends you the session cookie, PHP looks up the number in a table to retrieve the data you've stored for that user.
This means that it is impossible, without access to your server, for anyone listening over the network to figure out what the session cookie actually means. They would need the table stored on your server. So it really doesn't matter if you store an ID number or a username in the session: if they have enough access to see what's in the session, then they could probably just look up the username based on the ID number anyway.
I have a problem that when a person logs in then he should be restricted to only one IP address. He should not be able to login through different machine at the same time so is there any way to maintain session without using session cookie and without using session id in URL?
yes, by writing session in database. Apart for usual session data (id, and user data) you write and user_ip. So, while session is active you can restrict user access from another ip/machine or even browser (if you set your session uniqueness to be IP and browser headers - user agnet )
Please check link bellow, on how to extend session handler and save/read to/from database (and hence not using cookies)
set session in database in php
and this
PHP user authentication using database and ip address?
You can create a database table that gets updated with a session ID when the user logs in and removed when they logout. At login, you can check the database to make sure there isn't an active session in the DB.
A feature that is currently missing from one of my web apps is that a single user can only be logged in on one machine at a time. That is, if the users logs in elsewhere, his previous session will be logged off.
This is due to my current users table having the columns:
user: id, username, hash, salt... cursession
When each user logs in, the session ID is put into the "cursession" field and on each page-load, is checked against the database. As a result, only one "session" can be active at a time.
Is the current table structure and method secure and standard? This system was pretty much improvised, and I have no professional experience.
What would be a way to allow multiple simultaneous logins? I'm simply thinking of adding a "sessions" table with more userid-cursession relations, but what's the standard method for doing this?
I propose that you put the current logged in userid in the user's session (as a session variable), and drop the cursession field from the table altogether. You don't need to reinvent session handling since PHP already has it built-in.
That way the user can be logged in at multiple computers at once. Session variables are safe too, since they're not manipulated by the browser. The only thing kept in the browser is a session id which identifies the current session, all other data is stored on the server-side. The only thing that will happen if the user changes his browser cookies is that he will be logged out (start an empty session), so he can't force himself to log in as someone else.