On Monday, I thought I had solved the session hijacking security issue by setting the session as the user IP, until I logged in. I had two users with the same IP (myself and a test user) and it kept switching between the two. Is there a way to prevent this and allow two users with the same IP register on my site?
Thanks in advance,
Terry.
You may have been reading advice about storing the user's IP in a table along with the session id (not in place of). You'd then check to make sure they're coming from the same IP on subsequent requests, otherwise, force them to login again. This method has problems as well a user's ip can change as often as every ten minutes depending on their ISP!
Use the session id provided by PHP as it's unique and difficult to guess. Require it to be read from a cookie and never from the URL.
SSL the entire site if it is a concern and apply a short cookie time out. The ssl will encrypt the cookie and transmission so it can not be sniffed off the wire. A short time to live will make the cookie useless soon after it has been taken from the "logged in" computer if they have direct access to the system. So in short get a security cert and go on as normal with a normal php session.
I take it you're looking for the user's information in the MySQL database, using their IP? That is wrong. The only way to be truely unique is with a primary key field.
Either store the primary key as the session and pull their data, or store relevant information in the session and only pull anything else when it is needed.
Related
I have a small internal website for a charity, it's were the staff login to access documents and rota. Although it's only meant for certain users it is on the web so it's public therefore I'm still thinking about security. I need your opinions on the following because I'm not very experienced.
I've always stored two cookies when the user logs in. The first is their user id and the second a cookie id so people can't just change the user id and be logged in the cookie id needs to match. It's compared to the database every page. The problem is the cookie id is just a random number it will take no time for a PC to cycle through a range of a few hundred thousand combinations to find the matching ID for each user. So how can I stop this? Would PHP's uniqid be good enough?
What other attacks should I consider, apart from SQL Injection (already prevented)
Thanks
Store the client IP of each session on the server.
If the client IP for a session changes, then that's suspicious.
Another thing would be to give sessions a lifetime.
Like, invalidate a session if nothing happened for an arbitrary amount of time.
Last but not least, do only store a random ID in the session database and map that to the user instead of storing the user-id directly into a cookie.
When a user log in and check the "remember me" box, I generate a key (very random numbers on a md5) for it and save on it's cookies. If the user is not logged, my code check for a "remember me key" cookie, if it matches with a user, then he's logged in.
My question is, how do I stop users from coping their remember me key cookie and pass it to their friends? Because if they do that, the person who copied the cookie will be logged in without even knowing the password of the account, then they would access a premium account without buying it.
I can't bind the key to the ip, or else the remember me wouldn't work well, since lots of computers change ips very often. I though about saving the user agent and others browser infos, what do you think?
You can detect the sharing of cookies by regenerating the key for the cookie each time it's used. If someone gives a remember-me cookie to someone else (or it's stolen) and they both use it, then they will both end up with different keys after they use their cookie.
Only allow the most recently generated key for each account. If someone uses a key that doesn't match the database value, then invalidate all sessions associated with the user.
My question is, how do I stop users from coping their remember me key
cookie and pass it to their friends?
Best solution is not to use remember me:
https://www.owasp.org/index.php/Guide_to_Authentication#Remember_Me
If you still want to then you could check the requesters browser and ip but then maybe your have useability issues. Limiting the number of concurrent sessions to 1 per paid user may deter the exploit you are concerned about.
In this age we have different machines, devices and phones, but sometimes we would like to be remembered by our own name.
I have a website where one person should be able to check "remember me" on the device he is currently working on, and having this working on all of your devices in the house.
Currently I was using a remember me function which creates a hashed key, saving it in the cookie, and in the database.
However - when logging in with the same user, but on an other device, the hashed key in the database is overwritten so the remember me function on the first device is down.
I was thinking to ceate a session table to hold the different sessions, (although it might hold different sessions for one user as well)
So Question:
How can I set/generate a unique session key for a device with php.
a browser fingerprint won't do as I use same browsers on different devices.
anyone ideas?
ofcourse I need a secure solution, preventing copying the cookie to another device or changing cookie information (from your user to admin) is important.
For a start having a hash key instead of a username does not add any extra security.
Just use a cookie with the username in it. The password is there for security.
I would do the session table to store all the sessions. Store the user's ID and the session ID in a cookie, that way when the user comes back, you can check to see if they are both in the table. If they are, they don't have to log back in.
The basic idea is to store the session ids from the different devices and tie them to one user. On the database level that means you don't have a "session_id" field in your user table but a separate table with "session_id" and "user_id" columns.
Please think about the security implications of session fixation and session hijacking. For a description of a more secure "remember me" system, read these articles:
http://fishbowl.pastiche.org/2004/01/19/persistent_login_cookie_best_practice/
http://jaspan.com/improved_persistent_login_cookie_best_practice
ofcourse I need a secure solution, preventing copying the cookie to another device or changing cookie information (from your user to admin) is important.
Ultimately, this is solving the wrong problem.
The way to prevent this is to:
Use HTTPS everywhere.
Send all cookies over HTTPS, with the secure and httpOnly flags.
That's it. This is related to the problem of client authenticity. There are some techniques that can stop lazy attackers (e.g. user agent), but any of these techniques can be spoofed trivially.
What is the best way for storing users IDs or usernames so they will not have to login every time?
I want to forward user to the members page if the stored ID or username is compared with the one stored in database.
Is is safe to do it using cookies and how can I do that?
Don't store their username or password in a cookie. Always assume that everyone on the internet can see every cookie on a person's computer. What you should do instead is save the session_id and the IP address they accessed from to your MySQL table, then save the session_id to a cookie. Most browsers will clear session variables when you close the window, but they will not clear cookies. Therefore you first check the session (are they currently logged in), and if they're not logged in then you check the cookie (were the logged in before, and more importantly- was it from this IP address?)
Of course if they have a session_id but they're not at the proper IP address, make them log in. They could just have an ISP with dynamic IPs, or they could have been listening to network traffic and they're trying to get into the admin user without a password.
This feature should be optional to let people log in from internet-cafe and such, not leaving their data open to everyone.
Yes. a cookie is the only possible way to mark a browser.
You have to store some uniqie and unpredictable value there. Generate some hash out of user's data, store it in the database along with other user data and set it as a cookie
The safest way is to require a valid SSL certificate from the browser, and validate the user-agents certificate server sided. However, in any browser I've seen installing such certificates is a big enough pain & hurdle for users that it's probably not suited for a public website. It can however sometimes be seen in intranets.
I just wrote this solution for anyone else who is interested.
http://rabbie.id.au/my-elegant-remember-me-solution-using-php-mysql-and-cookies/
With my sites, I use a custom written Session class. This stores a sess_id and sess_hash in a cookie, which is unique for the current user. An IP address is also stored in the database, and checked against the current IP to verify it is the same computer, but that is not the main authentication mechanism. Data is then stored, serialised and base64'd in the database. I would advise against using PHP Sessions, because they can be accessed by any user with the ID. Someone posting a link to something with the PHPSESSID in it, can, for example, let them log into their account.
currently im using session to log in the user. but when i close the browser and open it again i have to log in again. how do you keeo the user logged in in lets say 2 weeks.
is it through cookies then?
So you want a "Remember me on this computer" option? Here's a language-agnostic way how you can do it:
Create a DB table with at least cookie_id and user_id columns. If necessary also add a cookie_ttl and ip_lock. The column names speaks for itself I guess.
On first-time login (if necessary only with the "Remember me" option checked), generate a long, unique, hard-to-guess key which represents the cookie_id and store this in the DB along with the user_id. Also store this as cookie value of a cookie with a before specified cookie name. E.g. remember. Give the cookie a long lifetime, e.g. one year.
On every request, check if the user is logged in. If not, then check the cookie value cookie_id associated with the cookie name remember. If it is there and it is valid according the DB, then automagically login the user associated with the user_id and postpone the cookie age again.
As to the security risks, if the key is long and mixed enough (at least 30 mixed chars), then the chances on brute-forcing the login are negligible. Further on you probably already understood what the optional column ip_lock is to be used for. It should represent the IP address of the user. You could eventually add an extra checkbox "Lock login to this IP (only if you have a static IP)" so that the server can use the user's IP address as an extra validation.
And what if one hijacked the cookie value from an user without an IP lock? Well, there's not much to do against this. Live with it. The "remember me" thing is funny for under each forums and account-hijacks wouldn't hurt that much there, but I would certainly not use it for admin panels and that kind of webpages which controls the server-side stuff.
It's after all fairly straight forward. Good luck.
Read this: http://www.php.net/manual/en/session.configuration.php
The setting that you need is session.cookie_lifetime. Session cookies (eg ones that do not have a lifetime) are deleted when the browser is closed. If you want the sessions to stay alive for longer, set that setting in php.ini, httpd.conf, or .htaccess. Possibly even with ini_set
Edit: Actually you can use this function:
session_set_cookie_params (86400*30);
session_start()
86400*30 is 30 days.
See here: http://www.php.net/manual/en/function.session-set-cookie-params.php
Yes. You use cookies to implement the "auto login" (or "remember me") functionality.
This google search or SO search results, should point you to a right direction.
Yes, you should do that using cookies. Here's the manual entry: http://php.net/manual/en/features.cookies.php
Alternately, you can take a look at this function: http://php.net/manual/en/function.session-set-cookie-params.php. It allows you to modify session cookie settings like its lifetime...