I'm writing a webapp in PHP that remembers if a user is logged in. It sets a cookie and if that cookie is present and validated, the user doesn't need to login.
It works properly from a desktop, but on the iPhone, as soon as I close the tab and relaunch it, the cookie is gone.
Is there something I'm missing? I can't see why cookies would be removed when tabs are closed. It would defeat the purpose of many of them.
Actually, I figured it out. I set the cookie to only work over secure connections, but one of the URLs in my iPhone's history was not secure.
Related
I'm currently working on a new website for a client that stores personal information and credit card info on the site. As such, security is a big concern for me. This is the first site I've built that has sensitive information on it, and so I'm not very familiar with the whole subject.
The site manages users using sessions. However, I'm finding it hard to keep the sessions secure. I want to implement a User Agent check that checks the browser every time a page is loaded. This way, when I copy the session ID into a manually-created cookie on my 'attacker' browser, the server will detect the user agent change (from Chrome to Firefox) and reject the session.
My question is, if I do implement this check to run EVERY time a page is loaded, do I run the risk of logging out my legitimate user? Is there any reason that the true user would change their user agent between pages? And if so, how likely is this to happen? Likely enough that I should abandon this approach entirely, or is it an acceptable risk?
EDIT: The cookies are set to expire as soon as the browser is closed. Also, the user agent that is set upon login is stored in the session and is hashed after a salt is appended to it.
Yes, the user-agent string can change. Session cookies often last longer than an individual browser session. If a user upgrades their browser (very common these days with the auto-updaters in Chrome and Firefox) then a different version will appear in the user-agent string.
In addition, some plugins are reported in the user-agent string, causing it to change if a user installs one.
Your user-agent string check doesn't really offer any additional security. I don't recommend it.
So I am working on a site that requires a login against an MySQL database with "remember me" functionality. I got that fine (based off of Jaspan's page). What I am a little fuzzy on is the use of sessions to track user movement. I'm not worried about their history on the site. I've looked around on the interwebs and especially SO, but I haven't really found what I'm looking for. Perhaps I'm just not using the right keywords to search. Anyway... as I said, I have the actual login process, and a cookie is set up with the triplet for the "remember me" functionality. But how do I track the authenticated status while the user is browsing the website? The logged-in user should be able to browse the secure area of the website, or the scripts should output special data, without the website having to check the "remember me" triplet against the database every page load. I thought to do something like $_SESSION['authed']==true, and every page load would check the session value, but I suspect that isn't a very secure way to go about this. I have observed that if I set $_SESSION['authed']==true, close the browser, open the browser, and go to the site again, it still says authed=true. Now, I DO understand that the session variables are stored on the webserver, not in the browser's cache. However, I can't see the big picture enough to know the right way to go about this.
I thought to do something like $_SESSION['authed']==true, and every page load would check the session value
Yes, that's what you do.
but I suspect that isn't a very secure way to go about this
It's perfectly fine. You establish a session, which means you send a unique cookie to the user. That is your security. The fact that you have a session at all is your security. Then you simply record the fact whether the user is "logged in" or not in that session.
I have observed that if I set $_SESSION['authed']==true, close the browser, open the browser, and go to the site again, it still says authed=true.
Yes, cookies don't necessarily expire when the browser is closed. Each cookie has a specified expiration time, they can persist however long you want. Even cookies without an expiration time aren't necessarily immediately discarded when the browser is closed. That may have been the default behaviour of browsers a few years ago, but isn't necessarily true anymore.
How can I realize a parallel session with PHP? I intend to login in as admin and now I can see a list of normal users. The admin user should be able to log in as a normal user in a new browser tab by clicking a user.
I tried to give sessions a unique name and id but this still haven't work.
Session cookies are stored in the browser for the whole browser session, so you can't separate them between windows.
Either you write your own session handler code, that does not use cookies, but appends something like '&sessionid=BLARGROB' to every link, or just install two browsers on you machine. Use Internet explorer for your user session and Firefox for your admin session, and Chrome for whatever else you'd like to do on your site without invalidating the other sessions. Using several browsers is a good idea to test your layout anyway.
In my login code on my website, if the password & username are correct, I set a cookie to keep the user logged in.
I just heard from a user that he doesn't accept cookies automatically through his browser, and that that prevents him from logging in. That rhe cookie is not set.
Is there an easy way to counter that?
Tell me if you need the code I use.
It is possible to get this to work but often a real pain if you're using complex javascript/ajax.
In short, instead of storing the session id in a cookie, you embed it at the end of every link.
so
http://example.com/somepage.php
becomes
http://example.com/somepage.php?SessionId=ABC123
Unfortunately, while PHP can do this for you in some cases, it doesn't help with links you build yourself in javascript - and it only takes clicking a single link without the id to effectively log the user out
See this page for more information
As mentioned by Quentin in the comments, if you're not using a cookie to identify the browser which created the session, it's possible that sharing a link would share the session. This could be mitigated but not prevented by checking IP address/user agent but this would likely fail in large corporate environments with NAT and standard browsers
I am in need of session variable must be exist even after browser closed or system shutdown.
But in my page it will not support session scope between browsers that is at first i signin with firefox while i login with chrome browser it comes to login page . Why these happen . Please any body help me to solve this problem.
Thanks and Regards,
Alagar Pandi.P
alagar.pandi#gmail.com
Session scope between browsers is not possible. Sessions are identified by a token, which must first be given to the user, and then passed back later by the browser in some form. Generally this is done with cookies, although it can also be done by appending the token to URLs as the visitor browses around the site.
Since web browsers are separate pieces of software with their own methods of handling cookies, you cannot share cookies between browsers, and therefore you cannot share cookie-based sessions. It is possible to copy-and-paste a URL from a web site that contains a session token into another browser and continue the session there, but most sites use cookies, so this is not often possible, and it certainly doesn't accomplish what you would like to do.
What you ask is generally considered impossible, but also usually not an issue. On the plus side, it is also a process generally understood by most users. Users do not expect to log in to a site with one browser, and then boot up another and still be logged in.
session expiry between browser and
after browser or system shutdown ?
Neither after browser close nor system shutdown
Session is expired when its get timeout on server side, and it depends on each web server settings, for example, after 20 mintues.
Cookies are the only way to track users. They can either be persistent or not. If a cookie is persistent it is stored in the user's computer as a file and has an expiration date but only the browser that created it will be able to access it again. There's no way to achieve cross-browser cookies.
Then you should use. Client side cookies rather than session variables.
Session exists only until the browser close or system shutdown.
If you still want to proceed with session variable, then store the session value in the DB and whenever the login page loads check the db if the user hasn't signed out manually, if yes then show him main page otherwise show hime the login page.