I have a two diff. project on my XAMPP say it is Project1 and Project2.
When i login with Project1, i check authentication and if it is successful then stored session. The session name is $_SESSION['username'].
The above process is same with Project2.
now,to prevent direct access,i use this code(in both project):
if($_SESSION['username']=="")
{
header("location:index.php");
}
so when i login with Project1, i am also access Project2(without login).
To prevent this, i know that if i create diff. session name for both project then it is solved.
The above thing is in my local server. so i can create diff. session name for my all project.
But suppose my site is online and what happen if my session name is match with diff. site?
There is a millions of websites and there is a possibility that my session name is match with another website's session name.Then this might be happen that some user access my website with another website(in same browser) and he might be access my site without login.
So what happen if session is same for two diff. website? Can user is access my website without login?
If yes then what should i do to prevent it?
Thanks in advance.
UPDATE
according to #Let me see's answer there is a possibility that if two sites are running on the same server then they may share the data.
So suppose the server is sharing then what should i do to prevent it?
Sessions are (usually) stored using cookies, and cookies are domain-specific. So, it doesn't matter if google.com or evilhackerdomain.ru uses the same session name as your app; your cookies are only readable/usable by the domains you specify. Even in the unusual scenario that sessions are managed in some other way, it will be domain-specific.
So suppose the server is sharing then what should I do to prevent it?
To answer your follow up question. You can simply name your session on a specific website using session_name() before your session_start().
session_name('PROJECT1');
session_start();
this one-liner should do it.
Normally the sessionID of the sessions is stored in a cookie and it is related to the hostname and it can be shared by the multiple hostnames having the same domain. and as it is obvious that sessions are stored on the server . So there is a possibility that if two sites are running on the same server then they may share the data..Therefore you should always change the path for storing the sessions on the server for every different website
PHP Sessions are stored in Server. So there won't be any clash between same session names when you go live. Remember, You still have option to store your session in database, which helps you with more secutiry.
Nothing will happen. Because the other Site uses its own database (with own session and user tables). It would only matter if two Sites share the same Database, same tables and same session handling.
User cannot access without log in because of following reasons,
The session data is stored on the server. If two applications are running on the same server and the same domain name, then the possibility is there for them to share session data. Otherwise no conflicts with session values, if the domains are different.
I think if we use a security algorithm like MD5 to encrypt the session which you'll using to login. That will work without problem. For example:
$name_session='username';
$name_session=md5(md5(md5($name_session));
$_SESSION[$name_session]="username_logged";
Related
I have a web application where I intend to give each client their own subdomain, like client1.myapp.com, client2.myapp.com, etc. When a user logs in, I store their user ID in the session variable, like $_SESSION['user'] = 4; When $_SESSION['user'] is set, the user is logged in and can access the application. Since user IDs are only unique within each individual client, I need a way to keep users from accessing other clients' subdomains. I considered using the session cookie for that, but then I figured cookies can be hacked. Now I'm thinking of assigning each client a unique client ID and using $_SESSION[$clientID]['user'] instead of $_SESSION['user']. Is that a safe way of solving the problem? What other options do I have?
There's nothing wrong with your $clientID approach.
If you want to get fancy, you could do something like use session_set_cookie_params so the same PHPSESSID cookie could be accessible to all domains and subdomains. This has its benefits especially if your centralized log-in page needs to detect if the user is logged-in for a particular domain or subdomain. Or if you wish to allow a user to log out from all subdomains at the same time, or if you'd like to create an administrative account which can access all subdomains.
Never trust the session id being sent, even if the cookie is tied to a specific subdomain, since the sessions for all subdomains are being stored in the same directory on the server.
A solution for this might be: ini_set(session.save_path, "/path/to/your/folder/$clientid") then you'd have a unique directory dedicated for each client for storing sessions. The benefit of this approach is that your $_SESSION won't contain information related to another subdomain.
You can also take advantage of sesssion_name so instead of PHPSESSID you could use client1 or client2 to it's clear which client the session belongs to.
e.g. client2=8d72edf35377a27388cb;client8=b47277bc8e3d4a5f
then PHP can read this cookie and know the client the session exists for.
You can also use a combination of all of the above, whatever works for you.
See the session-related functions here: http://php.net/manual/en/book.session.php
And the session-related settings here: http://php.net/manual/en/session.configuration.php
Try something like this. I hope this will help.
When a user logs in, store their subdomain in the session variable like:
$_SESSION['user_subdomain'] = 'client1.myapp.com';
And when $_SESSION['user'] and $_SESSION['user_subdomain'] is set, the user is logged in and accessing the application then just check the current accessing application's subdomain is equal to $_SESSION['user_subdomain'] or not.
By using this way you can redirect a client on its correct application's subdomain, if he tried to access other clients' subdomains. In this way you can keep users from accessing other clients' subdomains.
I am working on a site that has a login API. So when people login on my site, they will automatically be logged in to other sites.
Is their way by which a session can be setup so that other websites can use it? If not, is their any other solution?
One way - you can store your session values in database, and can use in other sites. :)
Example:-
let suppose if my site is deployed on multiple servers and end user might be redirected to different servers accordingly to traffic, then it would be good to save the session values in db.
Yes. It's possible using in example Redis for the session storage. You should look for configuring php sessions to use custom storage. Here is php man for this http://php.net/session.customhandler
What you want to do is probably using a cookie that is spread over your whole domain. This cookie can then be linked to a session. I'm currently working on something like this on Symfony2.
As example:
login.mydomain.com
application.mydomain.com
etc.mydomain.com
login.* will obviously contain my login logic + forms etc. This will also contain an API which the other applications can verify the cookie to. My Application will first check if the user is logged in. If not, it will check if it has the required cookie. If it does not, it will redirect to the login.* login page.
If it does have the cookie, it will validate this in my login.* API. Expired > redirect to the login page, if not it will return the required info of that user and "login" to my application.
The only problem I have at the moment is storing the session. I use mcrypt to encrypt the contents and store it in mysql (cookie_id, cookie_contents). I have but 1 problem, it doesn't automatically purge the expired sessions, I still have to find a solution for this.
What you are basically looking for is Single Sign-On (just a guess, but I think accurate).
I need to implement a solution for one of my project, where I have multiple domains + multiple sub-domains and they all need to share the same session. All domains and sub-domains would be pointed to the single application which is connected to the single database.
Means if user logged in from any of the domain will be able to visit secure pages of other domains of the application. User may change domain via following a link or via opening a new tab in the browser.
I have gone through some articles and found some below mentioned solutions:-
Session in Database - What if other user from same network with same user agent hits?
iFrame message passing - I heard at somewhere, that iFrame renders on document load and, then checking session after showing some page content will annoy the user.
CURL request with CURLOPT_COOKIEFILE & CURLOPT_COOKIEJAR - I have played with this and it is working fine, but don't know if it is secure and not performance killer.
Single Sign On (SSO) - I need some R&D to implement this and it would be the last option.
Please suggest what to do?
Just to verify I am not wrong, you need to share user session across all your applications.
As rightly said above, you may use 4 of the options above. However, I would like to focus on first option which is putting session in DB and would like to suggest another option as keeping sessions in shared directory or server.
Sessions in DB - The answer to your question (What if other user from same network with same user agent hits?) is you will have different session id's value to uniquely identify each row in Table. So, no need to worry about it. But the disadvantage is, each time DB connection would be required and a query would be fired, when session is initialized i.e. for every single page.
Sessions in shared directory/server - Configure all your applications in a such a manner that all applications store session at shared location. Shared location can either be a directory or a secured server. This can easily achieved by using session_set_save_handler.
I mean you can login both https://mail.google.com/ and https://mail.google.com/a/company.com at the same time.
The projects I've attended so far haven't involved such kind of logic,how can these two url under the same domain use different $_SESSION?
I think there is not inbuilt session management feature in PHP.
You can use variable specific management in session.
for eg.
one login from https://mail.google.com/ then store all it's session data in $_SESSION['gmail'][X] , $_SESSION['gmail'][Y],$_SESSION['gmail'][Z]
and then in when another user login from https://mail.google.cpm/a/company.com then store all it's session data in $_SESSION['company'][X],$_SESSION['company'][Y],$_SESSION['company'][Z]
so by this, you can separate those two sessions from each other.
Those two URLs share the same domain. Only the subfolders are different. Usually with PHP, the cookie which saves the session id is valid for the whole domain and not only a specific subfolder. So there should be no problem using the session data with the same domain.
Maulik Vora's answer will work, but another way to do it is to configure PHP to used URL-based session ID passing. That way every tab or window has a separate session. See this page for information on how to do it, and why you may or may not want to. Here's the docs for it.
Can PHP sessions be edited like cookies? Or they're stored on the webhost?
The session key is stored in the client's browser, while the data is stored on the server.
When the user makes a request on the server, their session key is sent across the network and the values associated with their key are retrieved from the specific session file on the server and are made accessible via $_SESSION.
It it possible to hijack another user's session if the key is intercepted, which is why you should have specific values in the session which associate to the user's computer/network connection (IP address, for example).
Session data cannot be edited by the user, as they are stored on the server. The user can, however, start a new session and ditch whatever session data he previously had. Also, you should be aware of portential security issues, such as session fixation.
Usually they're stored in the /tmp directory of a webserver if the host isn't careful. This can be changed with session_save_path(), it's something I do with all of my PHP applications that use sessions.
This works like below:
Browser requests page, submitting your SID or Session ID with help of a cookie or with the URL.
Server finds cookie files inside the session_save_path() and unserializes the array
You access that info with PHP
Alas, the only thing the client knows is the session's ID, but that can be hijacked, for example by using cookie stealers, or other Cross Site Scripting methods. If I, for example, got your SO session, SO wouldn't know better than I was you. Unless they also check my IP or something like that.