So, if a login/registration system is created, so that when the user logs in, the user is redirected to another members-only page (member.php), I would store the login information in the user's session.
When the user navigates to the members page, prior to allowing him to see content, I'd want to make sure that the username/password is valid, and the user is validly logged in. How might I ensure that the user is validly logged in when he/she gets to the member's page, to me it seems like using:
if (!isset($_SESSION['username']))
{
die("You aren't allowed to access this page");
}
would work, however I want to ensure it's secure, and to me, it just doesn't seem secure enough (because if there was some way of spoofing a session, all they'd have to do would be to include any sort of text as the username).
I don't really know, so how would I check whether the user should have access to the page?
Session variables are stored on your server, not on the users computer like a cookie. So the user can't ever modify $_SESSION['username']. The only thing you have to really be wary of with sessions is session hijacking (where a user gets the session id of another logged in user, and uses it to pose as that user)
A user may spoof a session ID cookie if they know a valid value, but not the session data itself, which is stored on the server.
Thus, they may not just "send you" session data with a certain username.
If they have access to the browser of someone who is logged in, they may be able to steal their SESSID (which is stored on the client), but per-IP sessions can mitigate that somewhat.
Put an encrypted password cookie/session var with a salt perhaps, to be checked against the db every now and then.
Related
I have build a php website, you can enter your login information and it safes a authentication cookie in your browser. After that a SESSION variable called 'user' is created and you can continue to the user specific pages. My question is, when the user switches to another page for example his settings should i check his login information again(hash auth_token and compare it to the value in db) or is it enough just to check isset($_SESSION['user'])
Sessions are stored on your server, and cannot be directly accessed by the visitor of your website.
This means that if you make sure that, if $_SESSION['user'] can only be set when the visitor enters valid credentials, you don't need to check the cookie every time. You simply rely on the session cookie. Checking it cannot hurt though, so why not do it?
Note that it is possible for a hacker to copy the cookies and pretend to be someone they are not. This is called "cookie spoofing" or session hijacking. Erasing important cookies when an user leaves the website can already defend against that quite well.
You're being somewhat vague about what you store in the "authentication cookie", but I think you're using random tokens which you store in the database and link to an user. That's a good idea. It is important to generate a new token every time an user logs in, and let tokens expire after a certain period if they're not used.
This is the use case:
a hacker login to a web site private pages of another user ("the correct user") using his/her pw
the correct user, without logging-in, changes its password using the "forget password" function
the hacker never log out and his session stay on because he still has the credential as a session data in his browser
What I would like to do is this: once the correct user changes his/her pw the session of the hacker is destroyed by the reset password user function. But the correct user browser has not any reference to the session id/code of the hacker ones so if it is run the function session_destroy() this does not affect the hacker session, just the correct user one. But, since some unique ids linked to the user account are set as session data, it is theoretically possible to identify the session having that field valorized to the correct user id and erase the session itself. The problem is how to do it, does Codeigniter have any function to find a session saved on the server searching for its field values? Currently, I use the default way to keep track of the sessions, so on disk.
I'm currently working on a little instant messaging project. So far everything has been going pretty well.
The only problem is security. When someone logs in, 2 cookies are set.
1) Name: loggedin; Value: {username}
2) Name: mvc; Value: {userSecretKey} <-- pretty useless
These are the cookies that I use so I can setup the next page. However, I believe there is a far better way to do this. And no, I don't want to use sessions because I have a "remember me" feature.
Someone could just set the cookies themselves and "sign in" without actually signing in.
What would be a better way to set this up? Maybe some sort of changing key?
I would suggest using PHP Sessions alongside cookies that are purely used for the remember me feature. You could set it up like this:
User logs in
You store the user IP and Useragent in the session
If remember me is enabled, create a new database entry with the user id, an unique random id + IP & useragent of user, then add a cookie that references the unique random ID.
Everytime you access the session, check that the request IP and Useragent match with the ones originally set in the session when the person logged in.
When the user returns after they close their browser, where only the remember me cookie is left, compare the request IP and Useragent to the one in the Database
If they match, log them back in automatically.
Users have fun.
Cheers!
You can still use PHP Sessions even with a 'Remember Me' function. You just need to set the cookie with the userid or username, and then, if they aren't logged in and the cookie exists, read their info from the cookie and log them in.
Have your logic that checks if the user is logged in check for an active session for logged in user. If it doesn't exist, redirect user to log in. In your login logic, check to see if the 'remember me' cookie is set. If it is, log the user in using the cookie. If the cookie doesn't exist, present a log in form.
for the security bit, you can use the secret key that get's reset when you log the user in. Would it be hijackable, yes, but if you keep changing the secret key/token the window for hijacking should be small.
Please, advice if my thoughts are correct. I have searched for information but have not found exact answer.
User enters username and password and the entered username/password are the same as in mysql.
I create $_SESSION['loggedin'] = 1; This means that somewhere on server is created file with random name like r21bj2a3.... and in user browser is created cookie with value like r21bj2a3....
On next page I check if( $_SESSION['loggedin'] == 1 ). User browser connect to server, send to server information like: I have cookie with value r21bj2a3...., please send me content of ? session? Server sends information that for the particular cookie session loggedin is 1.
As I understand if malicious user gets cookie value r21bj2a3...., sends to server and gets the same answer as normal user?
Depending on $_SESSION['loggedin'] I can not identify particular user? To identify particular user after successful login I can create unique token, record in mysql and pass with session? And on password protected page from the passed session I get token value and check (select) if such value exists in mysql. Is this way ok? May be post some link with good method?
Regarding token. I pass the token value with sessions. That means if malicious user get cookie value, send to server and get answer, containing token value (so malicious user gets rights of normal user)?
I suggest to save all active sessions in the database, you can create a table for doing that, to prevent session hijacking, you can check each particular session (login) and see if user already authenticated, then, do not allow second authentication.
The problem here, how to recognize user?
You can bind some Information like USER_AGENT, and IP Address, however, these information can also be spoofed by hacker, but, the probability is less.
Also, once user signed out, you can delete the session record in the database.
HTTP is stateless protocol.It does not keep track of data across several pages.So we require session which can be globally accessible across all pages in website
For identifying the user who is currently logged into website we need to store value of user_id field in user table into session after he is authenticated successfully.
e.g.
$_SESSION['user_id']=$result['user_id']
And to determine whether user is logged in or not we can check the value of $_SESSION['user_id'] variable .If it is empty then user is not logged in else user is logged in
To identify which user the session belongs to, just set a viable in the session
$_SESSION['user'] = user
You are correct about the cookie giving access to the session. If security is important, use SsL.
I have a website which has a login/logout feature. How can I ensure, 100%, also in a stable technique, that a user won't be a able to login to the same account from two different computers?
Javascript can't be used for this, since it's easy to disable it.
For example, .NET has a Session_End function that executes when a user aborts the connection with the server. How that can be done with PHP?
Thanks, Guy
Note: This technique would effectively logout the account on the first computer when logging in on a 2nd.
When a user logs in, log the session id for the user to the database or equivalent. On each page request, ensure the session id of the user matches the session id stored in the store for their account. Requests from a logged in account with a mismatched session id should be rejected and the user should be logged out.
It depends on how in depth you want to go. Most commonly:
Create a unique session id cookie on login and saved it in the database
All web pages check the session cookie to make sure it's valid
if the session isn't valid, the user is redirected to the login page
When another user tries to log in, it overwrites the previous session
This essentially kicks out the first user
Large companies will also store the IP address in the database as well (so session cookies can't be stolen)