I need a way to pass a variable between two page in a secure way.
I know that I can use POST / GET / Cookie / Session or hidden fields but I think none of these ways aren't secure enough because :
get can be seen in the url
cookies is a client side so it can be change from client
session can confront Session ID hijacking and ...
Now I want to know is there another ways better than these ways and if there isn't witch of these is the best way to pass variables in secure manner;
Session is the most secure method you have available.
Session id regeneration will help against session hijacking, but SSL via https will really protect against it.
BTW: If the session is hijacked and you're displaying user data to the client, it doesn't matter how you got the data to the second page, the hijacker will see it. If you're only using it server side, the hijacker won't see it.
Passing variable values between pages using session is most secure
and Regenerate the session id by session_regenerate_id whenever the security level changes (such as logging in). You can even regenerate the session id every request if you wish.
Good Read
PHP Security Guide: Sessions
since session is server side, its the most secure way to pass the variables
and to prevent session hijacking you can use session_regenerate_id function in php
the manual: http://php.net/manual/en/function.session-regenerate-id.php
but that doesn't means you always use sessions to pass variables
you still can use cookies, but encrypt the data before storing them in the cookies.
There is nothing wrong with using GET - as long as they are sanitised correctly... you can always combine get with a hash of the parameters to reduce the risk of it being tampered with, along with use of sessions to ensure they are also legitimate.
Related
I have a quite simple question, which I'm asking because I'm unsure of the answer. I'm building an application where there is a multistep registration form. There are 7 steps and each one is on a different PHP page. I'm also validating the submitted form data once the client goes to the next page.
My questions is:
Is it secure to store all the Validated(only the validated) information in a Session variable and when they've finished with the registration, I'd write those session values into the Database. Is it secure to use sessions for this purpose? If not, how can this method be exploited?
I am also providing the option for people to go back to each step and change the values if they've mistyped something. In this case I would update the Session variables only. Is it safe too?
I'm currently using session_regenerate_id() to prevent Session stealing.
So basically will I be safe to store the data in Sessions temporarily, and then insert them to the database? Can a hacker change that Session data in the meantime, so what I'll insert into the DB will not be the same what I've saved into the session?
I hope you understand my question. Any help would be appriciated!
Yes, it is secure. Session data is stored on the server side, and cannot be manipulated by the client. The only thing the client holds is a session key, which allows the server to match a client up with the stored session vars for that client. As long as you're validating the information before storing them into $_SESSION, you can dump the session variables into the database at the end of the process.
Here is more information on sessions and security. The simple solution to any concerns with session stealing is to just use SSL.
I am also providing the option for people to go back to each step and change the values if they've mistyped something. In this case I would update the Session variables only. Is it safe too?
You will also be fine with this approach, again as long as you're re-validating the session variables.
if you protecting session ids for session stealing then go ahead, sessions are safe variables stored in server-side , every client has own session so if you sure to keep safe your session ids then no problem
I know about all the issues with session fixation and hijacking. My question is really basic: I want to create an authentication system with PHP. For that, after the login, I would just store the user id in the session.
But: I've seen some people do weird things like generating a GUID for each user and session and storing that instead of just the user id in the session. Why?
The content of a session cannot be obtained by a client - or can it?
You're correct. The client just sees a randomly generated session id token. There are ways this token can be misused (hijacked, etc.), but having a GUID on top adds nothing. In contrast, options like session.cookie_httponly (JavaScript can't see session cookie) session.cookie_secure (Cookie can only be transmitted over HTTPS) protect against certain attack scenarios.
The short answer is that $_SESSION is safe and you do not need to worry about its contents being leaked to a user or attacker.
The content of the session is not normally be accessible to the user. You should be able to store the user's primary key and you'll be fine. There are cases where the session can be leaked, on a normal linux system the session folder is in /tmp, however this could be changed in your php.ini to the web root (/var/www/tmp) and then could be accessible. The only other way is if the user is able to get access to the $_SESSION super global by hijacking a call to eval() or by the variable being printed normally.
If you are running on a shared host and using an old version of PHP and/or your server is misconfigured it might be possible for another user on this system to read or even modify a session file stored in /tmp/. I don't know of a single application that takes this attack into consideration. If this is a problem you can store the information in a session table in the database.
Sometimes, for added security, developers may assign a long string to the user's session in order to make hijacking even more difficult. By setting a cookie with this new string at the time of session creation, the app can check for the correct string on subsequent requests to better ensure it is the person who actually logged in.
It's just adding one more thing a wannabe hijacker would have to guess. However, it can be a false sense of security as it does little to protect the session if sniffing is involved because the new cookie is sent right along with the php session cookie. Also, session id's are very hard to guess as it is (as I'm sure you know, just don't place it in the url but, rather, in the cookie).
Session info is stored on the harddrive so it's not obtainable by clients without application intervention.
I've never seen GUIDs being used for sessions, but there are a couple of additional methods I have seen that do add a little more security.
Storing the user's IP - if you need to force a session change based on locations (sometimes geoIP stuff will do this)
Storing the user's HTTP_USER_AGENT header string. Can provide a bit of security against hijacking if the hijacker happens to be using a different browser.
There's a great article on session hijacking countermeasures on Wikipedia, actually.
That being said, I would imagine that anyone storing a GUID as part of a session to use in session security might be failing to see a better solution (such as session regeneration). I can see other uses for a GUID to be stored (maybe it's part of a random generator for a game), but not for use with session security.
i have a login form, which is in login.php. after authorization i moove client to some.php file! so, from following two methods, which is better?
i can send information aboud user id e.t.c by GET
i can use SESSION - s for this
what is more preferred?
and two words about why i ask this question.
i hear somewhere that SESSIONs aren't good programing method, and it's not suggested to use them in such situations...
thanks
Sessions are indeed the preferred solution. You can't trust data sent in the querystring ($_GET, $_POST, $_COOKIE etc) because all of those can be changed by the user, but you can trust the that noone has tampered with the $_SESSION data since $_SESSION is stored on the server.
There's nothing inherently bad about sessions. In fact, in this situation I would store the userid in the session rather than passing it around in the URL. It'll be much cleaner, and more professional, IMHO. Storing trivial information in the session is fine.
$_SESSION might have its flaws, but using $_GET for this kind of thing is even worse.
If I understand the question right, then none. Use POST for this instead and then create SESSION upon logging in.
Let's say user comes to index.php where is login form. He fills in info and push "login". You send the data to login.php using POST. If the user name, password and whatever other information is correct, you create SESSION and redirect user somewhere else.
I would use SESSION if you want to store some information, that is based on the authentication success. Data in GET, POST variables is too easy to manipulate.
If you have to decide between $_SESSION and $_GET, then, for secure stuff, use $_SESSION. All the user can do with sessions is destroy them (by deleting the PHPSESSID cookie), but the user cannot manipulate them.
If you have to pass information once, $_SESSION is very good. You can store some data into the $_SESSION variable, change location via PHP (so the user cannot block the script by means of disabling JavaScript. Just use header('Location: '.$path);), use the $_SESSION content on the other page and the user does not have a time interval when he could destroy the session. This is safe.
The safest way would be to use SESSIONS because that would mean that only a token|identifier is stored on the client side, and all of the data represented by the token|identifier is stored on the server. Besides you can set expiry time for sessions too, that would make it more secure.
SESSION is the best solution . Which makes more secure one .User cant alter any of his data
ive heard a few timse that sessions need to be cleaned with mysql_real_escape_string or htmlspecial chars because they can be modified. what im wondering is how are they modified because when i look at a websites session named PHPSESSID the value it contains is always encrypted.
first of all what encryption method is it using and how is it modified. the reason i want to know this is to better understand how to secure myself based on what methods people are using out there to high-jack sessions
thanks.
They cannot be modified, they're stored on the server. The PHPSESSID is just an identifier, it's not encrypted but randomly generated (so it's unique to each user). People hijack sessions by stealing the PHPSESSID cookie, usually through a cross site scripting attack. Read the answer to this for a nice summary of sessions in php - What do i need to store in the php session when user logged in
Sessions are stored on the server. That means all data is stored in temporary files and are deleted after an x amount of time. The browser does not store session data. It stores an ID of the session, which the server uses to get the right temporary file.
So the user never actually has access to variables stored in a session. But has a reference to their session. It is possible to get someone else's session ID. This way you can pretend to be another user. If sessions are used for validation.
Read up on session hijacking here.
The thing that can get modified is the session id send to you by the client. So, as with all user supplied data, this needs to be 'cleaned' before you use it anywhere, like for example with mysql_real_escape_string before inserting it into a MySQL database.
What's the best and most secure way to go when writing an authentication library in a model-view-controller way?
The things that give me a hard time are keeping track of the users activity and remembering users via a cookie or storing sessions in the database?
Thanks in advance :).
If you want to use sessions, you have secure them against attacks like session fixation and session hijacking.
To prevent both you have to ensure that only authenticated requests are allowed to use the session. This is commonly done by chaining as many specific (possibly unique) informations about the client as possible with the session. But as some informations may change on every request (like the IP address), it can be difficult to find good one.
This is why it is useful to use the method denoted as Trending.
Another good protection measure is to swap the session ID periodically. Thus the period for an attack on a valid session ID is smaller.
The simplest way to implement it is with PHP SESSIONS.
just session_start (); near the beginning of your script and you have access to the $_SESSION global array for holding your authentication data.
Depending on the configuration of your server all the data stored in $_SESSION will only be available on the server from which it is hosted (with few exceptions). You can configure it to be saved in a temporary directory, in memcached, or even a database.
The only thing that is transmitted between the client and your server is a "session key". The key can be passed by cookie or URL-rewrites (which are transparently handled by the start_session output buffer).