So I have some session checking to see if it's not stolen using PHP. I set a request count as a value in the session array and send a cookie with same value to the client. If the values don't match then someone has interfered.
The problem is that sometimes the values don't match and I doubt someone stole the session and used it. Is it possible that Firefox is slow in storing the cookies?
I'm asking this because I have a broken mouse which click-spams when I click. When I use the touchpad I never disconnect from the app.
Browsers usually have multiple, simultaneous connections open to the same website and download resources in parallel. Trying to count requests is certain to create race conditions.
If you want to reduce the chances of session hijacking, use SSL for your data transfer.
It's probably due to the click-spamming. The cookie will be sent in the response, but if you interrupt the response before the browser fully loads the page, it will probably not process and store the cookie. Of course the session will have been updated because it is updated on the server before the request is sent (on php shutdown).
This would probably cause a condition where
PHP session value is set
cookie with same value is sent
browser request interrupted by a fast click
cookie never gets saved
request is sent and session value updates / values don't match at this point
You should probably find a more reliable method for detecting session hijacking, i.e. SSL.
Related
In relation to How to create a secure login system using cookies and sessions?
I'm building a simple forum, spending my time securing $_SESSION => hashing as mindful person about security but simple one because my future website will be not something giant, I will enable SSL.
Will I need cookie(s) for example about Google Search Console/day's visitors/SEO or nothing special about that and general security ?
Thank you for your help
The Sessions and Cookies both serve the purpose of storing data.The sessions are made at the server and gets destroyed once the connection with the server is lost or the application is closed, while the cookies are made at the client and stays for a defined time, either the application is opened or closed.And you can delete them anytime you wish.
So in relation to the security, the sessions are more appropriate than the cookies.
The latter part of your question is a kind of vague to me, yet I think this answer will be of some help to you. :D
You can find a Cookies vs. sessions comparison here.
There are three main ways, we can get data from our users.
By typing a url or click a link which will be a GET request.
By submit a form which will be a POST request.
Pulling values out of their browser COOKIE that send with every request they make.
and there is one more method to get data which is -
SESSION
sessions are related to cookies.
A session is a file that stored on the web-server file system not on the browser side.
So, when we want save some information, the process is instead of sending a cookie to the user, we send them as a reference to that session file.
So on every request they make to the web server after that they send the reference and were able to lookup that session file and pull all the data out of it.
So the most important difference with sessions that they stored in server-side not client-side.
All we send to the client is a reference to help us find that file.
Using sessions has some benefits and drawbacks -
PROS -
More storage than cookie.
cookie is limited to 4000 characters maximum.
for session, it is limited to only by the file storage size that you have on a web server i.e; how big is the hard-disk, that's the limit.
Smaller request sizes because session uses reference.
Conceals data values.
More secure, less hackable.
CONS -
Slower to access.
You won't see much difference on camparing to cookies, but it is.
Expires when browser is closed.
Cookie can live 6 months or more.
Session files accumulate.
We want to use sessions instead of cookies for keeping track of a few things. However, when I close my browser, and I reopen a page to echo a session var, it doesn't exist (which is how it is suppose to be). Is it possible to prevent this from happening with some magic or anything?
This is not a duplicate question, all I see are people wanting to destroy sessions, I want to do the opposite and retain the session for as long as possible.
Any knowledge would be appreciated.
The right way of doing this is with a database, you can mimic or control php sessions and store them in a database instead of in a file ( as normal ). Then once you have control of the data you can base renewing session via the ip address or better yet by login.
So say a user logs in and then you need to store some data, you store that in the session but php will store it in your database table ( when configured correctly ). Latter the user comes back, initially any visitor would get a fresh session, however once they login you would be able to retrieve the past session they had. You generally don't have much control on if or when a client will delete expired cookies.
This topic is too extensive to put just a few pieces of example code but I did find this small article on the topic.
http://culttt.com/2013/02/04/how-to-save-php-sessions-to-a-database/
The guts of it is to use this function, session_set_save_handler
http://php.net/manual/en/function.session-set-save-handler.php
Once you have control of the data you can do whatever you want, however I would caution you about relying only on the IP address and it would be preferable to use a login system for something like this to prevent serving the session up to the wrong visitor.
You cannot reliably control what happens on the client side, even using a separate cookie would not be reliable and would have the disadvantage of storing data on the client where it could be accessed instead of keeping it on your server. Sessions are controlled by cookies but the data in them remains on your server, the cookie just identifies the client.
As a side note, I personally dislike using sessions at all. It may be possible to store what you need in the url, then it can be bookmarked. The classic example would be input for a search form ( via $_GET ) or for paging purposes. There is nothing wrong with doing this if it's not secure data. The problem with sessions is if the data is for a page such as my "classic example" or for paging you get only one session, so you would only be able to have one set of search data at a time, in the url you could have several sets of search data open at once. That said it does largely depend on what you need to save or persist.
Reset the session cookie manually.
$lifetime=60*60; // duration in seconds
session_start();
setcookie(session_name(),session_id(),time()+$lifetime);
You can use session.gc_maxlifetime and session_set_cookie_params, i.e.:
// server should keep session data for AT LEAST 1 Year
ini_set('session.gc_maxlifetime', 3600 * 24 * 365);
// each client should remember their session id for EXACTLY 1 Year
session_set_cookie_params(3600 * 24 * 365);
session_start();
Note:
You can also change the session options globally by editing php.ini -
Session configuration options
PHP sessions use session cookies. Browsers have their own ways of dealing with them but they all consider them to be trash if you close the browser.
Session cookies are not and can not be made persistent. If you need persistent cookies, just use a regular cookie to save a user identification code that your server would recognize, and save their session information in a database or flat file indexed on that id code.
Note that accumulating sessions on the server progressively causes important performance and security concerns.
Note on other answers: All of them mention ways to extend the session cookie expiration which will not overcome the regular behavior when you close your browser window.
Background:
I am trying to write a script that connects on a regular basis to a web server and checks if some information on a specific page was changed. I already got this working using a combination of bash (for scripting), curl (for the actual connection) and crontab (for the scheduling).
Since the server requires authentication, I first used curl to do a POST request on the login page with my credentials and saved the cookie file (containing the PHPSESSID). Now i can use the cookie file when doing the request for the actual web page I want to check.
Question(s):
When does the server actually clear the PHPSESSID i set with my first request? I imagine it must do this sometime, otherwise it would crash because it keeps storing information about every single session that was ever started.
If the PHPSESSID is cleared on closing the browser is there some way i can simulate that even using curl?
It's a little more complicated than just "when it's cleared"
A session has a lifetime in PHP. The default is 24 minutes. That means that after you connect to a website, your session is valid until
You close the browser (which won't be simulated with cURL unless you just drop the cookies)
OR
24 minutes pass
Each time you load a page and the server calls session_start() that expiration time will be bumped an additional 24 minutes (technically speaking it's actually bumped 24 minutes at the end of the script execution on pages where session_start() is called).
When that cookie actually expires, your session is no longer valid, and $_SESSION will be empty on the server side. But your data is still on the server until the next time that the server performs a session garbage collection cycle to clear out expired sessions which, depending on the session handler in use on the server, may or may not actually delete your data. A bank, for example, might send the data off to an archive server in case they ever need the records.
The server removes the session after the session timeout-time has passed after the last request. This is by default 1440 seconds (24 minutes), it can be changed in php.ini file.
The session is not flushed serverside on closing the browser, the client loses his session data though, since the browser deletes his local memory of the session. But if you keep your sessionid somewhere safe you can use it later on again, if you stay within the timeout frame of course.
This is exactly how session hijackings work, they get your sessionid in some way and can then set this sessionid on their own machine and continue your session.
Am doing online Quiz type of script in PHP. User needs to attend 50 Question in 45 minutes.
After that time it should close the page or Submit the answer to the next page.
It is better to use cookies or sessions. How can i do that.
Am novice in session concept so can u suggest the suitable code.
Awaiting the earliest reply
I assume, as this is a quizz, you'll count point, record ranks, etc. So your users will eventually try to cheat.
Therefor, I would recommend sessions which are only server-side.$_SESSION is an array, like $_GET and $_POST, unique to every user using your website. You can put and retrieve anything when you want.
The only thing client side is a special cookie, called PHPSESSID, which is your visitor's id, used by PHP to retrieve his $_SESSIONarray.
Only things you have to do is to begin every page with session_start(); , before any instructions (except if you use buffering like ob_start())
The main difference between cookies and sessions is where the data is stored.
With cookies, you send the data to the browser, and the browser keeps sending it back to you with every request thereafter.
With sessions, you're storing the data in memory, and then just setting one cookie that has an ID to identify the chunk of space in the server's memory where the data is stored.
The crucial difference is that when the data is stored in cookies:
it can be edited by the user
it can be seen on the network as requests are made
it adds to the weight of each request in additional bandwidth required
it takes up less server memory
When data is stored in the session:
it can't be accessed by the user without going through you
it's not sent back and forth with each request (only the session ID cookie is)
but it takes up memory on the server
it can cause issues on larger sites when needing to move to multiple web servers
I would say it depends on scale. For a lot of questions, those cookies will get heavy and make each request very large. If you quiz is running in an environment that is spread across multiple front-end web servers, sessions might be out of the question.
I suspect the deciding factor is going to be the integrity of the quiz though. If it's crucial that the user can't change the data (such as previous answers, a running score or a timestamp for the start of the quiz) then you'll need to store the data out of their reach, which means using sessions.
I have an API that is dependent on certain state information between requests. As an easy first version of the code, I am simply using PHP session's to store the state information instead of something more advanced (APC, memcache, DB). Throughout my initial testing in a web browser, everything worked perfectly. However, it seems that when clients try to connect through non-browser methods such as Curl or wget, the state information is not being preserved.
Will a PHP session only be created if a browser is requesting the page? I am explicitly starting the session with session_start() as well as naming it before hand with session_name().
An added note. I learned that one of the major problems I was having was that I was naming the session instead of setting the session id via session_id($id); My intention in using session_name() was to retrieve the same session that was previously created, and the correct way to do this is by setting the session_id not the session_name.
It seems that session information will be persisted on the server as noted below (THANK YOU). But to keep this you must pass the session id, or, as in my case, any other id that would uniquely identify the user. Use this id as the session_id and your sessions will function as expected.
Session Cookies
Remember that HTTP is stateless, so sessions are tracked on your server, but the client has to identify itself with each request. When you declare session_start(), your browser is usually setting a cookie (the "PHP Session Id"), and then identifying itself by sending the cookie value with each request. When a script is called using a request with a session value, then the session_start() function will try to look up the session. To prove this to yourself, notice that sessions die when you clear your cookies.. many will die even as soon as you quit the browser, if the cookie is a "session" cookie (a temporary one). You mentioned that you're naming the session.. take a look in your browser cookies and see if you can find a cookie with the same name.
All of this is to say that cookies are playing an active role in your sessions, so if the client doesn't support cookies, then you can't do a session the way you're currently doing it.. at least not for those alternative clients. A session will be created on the server; the question is whether or not the client is participating.
If cookies aren't an option for your client, you're going to have to find another way to pass a session id to the server. This can be done in the query string, for example, although it's a considered a bit less private to send a session id in this way.
mysite.com?PHPSESSID=10alksdjfq9e
How do to this specifically may vary with your version of PHP, but it's basically just a configuration. If the proper runtime options are set, PHP will transparently add the session id as a query parameter to links on the page (same-source only, of course). You can find the specifics for setting that up on the PHP website.
Sidenote: Years ago, this was a common problem when attempting to implement a session. Cookies were newer and many people were turning off the cookie support in their browsers because of purported security concerns.
Sidenote: #Uberfuzzy makes a good point- Using sessions with curl or wget is actually possible. The problem is that it's less automatic. A user might dump header values into a file and use the values on future requests. curl has some "cookie awareness" flags, which allow you to handle this more easily, but you still must explicitly do it. Then again, you could use this to your advantage. If curl is available on your alternative client, then you can plausibly make the call yourself, using the cookie awareness flags. Refer to the curl manual.
If you call session_start(), then a session will be created if the client isn't in an existing one. If the client doesn't support (or is configured to ignore) the cookies or querystring mechanism used to maintain the session, a new session will be created on every request.
This may bloat your session storage mechanism with unused sessions.
It might be a better idea to only call session_start() when you have something to store in the session (e.g. user login, or something else that robots aren't likely to do), if you feel this is likely to be a problem.
Will a PHP session only be created if a browser is requesting the page?
Short answer: Yes. Sessions were created specifically to solve the HTTP stateless problem by leveraging browser features. APC, memcached, DB, etc. don't matter. Those are just storage methods for the session, and will suffer from the same problem.
Longer answer: The concept of sessions were created to account for the fact that HTTP is a stateless protocol, and it turns out that state's pretty important for a wide variety of software applications.
The most common way of implementing sessions is with cookies. PHP sends the session ID in a cookie, and the browser sends the cookie with the session ID back. This ID is used on the server to find whatever information you've stored in the session. PHP has the capacity to include and read a session ID at the end of a URLs, but this assumes that users will navigate to pages on your site/application by clicking links that include a generated session ID.
In your specific case, it is possible to use cookies with curl (and possibly wget). Curl is a web browser, just one without a GUI. If it's the command line curl program you're using (as opposed to the C library, PHP extension,etc.) read up on the following options
-b/--cookie
-c/--cookie-jar
-j/--junk-session-cookies