There is a problem that I can not understand when working with Codeigniter Session Library. Same network users use same session (We work with a big company, and they said me this: When anybody logged in to system, then everybody logged in)! Is this possible? How, and what can I do for fix this bug?
I am using Codeigniter Core Session Library and it uses database.
It is more possible to have app logic error that a session one.
Maybe you can reproduce it if you try on your local development server to use 2 ore more different user accounts (from different browsers).
http://ellislab.com/codeigniter/user-guide/libraries/sessions.html
When a page is loaded, the session class will check to see if valid
session data exists in the user's session cookie. If sessions data
does not exist (or if it has expired) a new session will be created
and saved in the cookie. If a session does exist, its information will
be updated and the cookie will be updated. With each update, the
session_id will be regenerated.
I don't know where you read that same network users use the same session, but in the CodeIgniter-documentation, I find that the session is stored in a cookie, and network users will not have the problem you discribed.
Related
On my Website any connecting Client will get a Session assigned. Upon user verification/login/oauth That session will get $_SESSION['LoggedIn'] set to true and some user data from database put in $_SESSION like username, upon log out or expiration that session will get cleared and destroyed.
However if a User is on a different device he will get a complete new session. He of course also has to log in there to also link that new Session to his Account.
On Twitter and Google for example it is possible to list all those Session on all those devices, and even terminate those. So how could I link those Sessions from the same User in PHP? especially since everything i put into $_SESSION would be only in that session. In that regard it might be wise to put user data from the database in Redis instead of $_SESSION. Or is there generally something wrong with my approach ?
So I was thinking about using CodeIgniter to build an application as to where my clients can register etc. However, I've been looking at the documentation about the sessions, and I was a little confused as to how the cookie data/session data is validated. Could somebody please clear this up for me? I will give my interpretation of how I think it works.
The user logs in -> Session is created and stored session id and email in cookie -> On each page load the cookie data is checked in the database to confirm users session id matches their user agent, ip and perhaps other things?
I'm sorry as to if that is horribly wrong, but I'm having a hard time understanding the logic with securing a session. Thank you for your help!
This is straight from Codeigniter manual:
http://ellislab.com/codeigniter/user-guide/libraries/sessions.html
How do Sessions work?
When a page is loaded, the session class will check to see if valid session data exists in the user's session cookie. If sessions data does not exist (or if it has expired) a new session will be created and saved in the cookie. If a session does exist, its information will be updated and the cookie will be updated. With each update, the session_id will be regenerated.
It's important for you to understand that once initialized, the Session class runs automatically. There is nothing you need to do to cause the above behavior to happen. You can, as you'll see below, work with session data or even add your own data to a user's session, but the process of reading, writing, and updating a session is automatic.
I was just wondering. Lets imagine i have a website with a login-system in PHP. And if the user succesfully logs in to the system the php sets something like: $_SESSION['user']="Loggedin".
And now, if you as a user of the website, could you just create your own PHP-script in your XAMPP folder or whatever and set the session user to loggedin and get access to my site?
Thanks!
No need to worry for this,
If you use Cookie for this then there's issue to be hacked and son on. But in Session, it will store on server side, so whether user can create a file and used or trying to get data from buy using session variable, they can't.
User can't get Session variable from the local server, they must have to access session variable from the same server.
And one more thing, this session is destroys when you close your browser.
A PHP session stores user information on the server for later use.
So if you are making a session on your localhost, with the same name, that doesn't influence the one on the website/server.
Remember that session information is temporary and will be deleted after the user has left the website.
I have a problem that when a person logs in then he should be restricted to only one IP address. He should not be able to login through different machine at the same time so is there any way to maintain session without using session cookie and without using session id in URL?
yes, by writing session in database. Apart for usual session data (id, and user data) you write and user_ip. So, while session is active you can restrict user access from another ip/machine or even browser (if you set your session uniqueness to be IP and browser headers - user agnet )
Please check link bellow, on how to extend session handler and save/read to/from database (and hence not using cookies)
set session in database in php
and this
PHP user authentication using database and ip address?
You can create a database table that gets updated with a session ID when the user logs in and removed when they logout. At login, you can check the database to make sure there isn't an active session in the DB.
I am trying to understand security when it comes to session cookies in php. I've been reading a lot about it, but I still lack the specifics. I need the basics, someone to show examples.
For example: Do I place session_regenerate_id() before every session cookie? What more shall I think about. I am asking about specifics in code - examples if possible.
Thank you very much.
I am using 4 session cookies after logging in.
SESSION "site_logged_in" = true
SESSION "site_user_nr" = the number of the user to access user_table_nr
SESSION "site_user_id" = the user's id to use when changing data in tables
SESSION "site_user_name" = the name of the user to display on page
When I check if the user has access, I check if all 4 cookies are set, and if site_logged_in is set to true.
Are there better ways? Do I have the completely wrong idea about this? Can users easily be hacked?
In fact you need to have only one session in your website. When you call session_start() session is being created on server and user automatically gets session cookie. Think like session is a some sort of container that placed on the server, you can put whatever you want in that container. However session cookie is just a key to access that container on the server.
It means that you can safely put some data in the $_SESSION and only the user that have cookie with matching session id can read it.
About users being hacked. Yes they can be hacked as long as you don't use HTTPS connection, because cookies and all other data is being transferred in clear text, so if someone intercept users cookie he can access the data stored in the session.
Always use a security token for logging users. This security token could be generated by using crypt(). After logging users in, change the security token periodically until they log out. Also keep the server backup of all the session variables including the security token (in a database). This would also help you to track user login history.
One more personal suggestion: Never use any data from the database as session variables without encrypting it with any of the hashing functions or functions like crypt().
The session information is stored server-side. What you should check is that they're logged in, and that they exists/can log in (in case of deletions/bans).
As you're checking they exist/can log in, you can pull the other information from the database such as name, nr and so on. All you really need is a key called 'logged_in_user' or something that stores the ID of the logged in user. As Alex Amiryan said, the cookie can be copied, so you might also want to store the IP address of the last accessing view in the session, so you can try to ensure security.