I need to transfer the user session across servers. ie. If user logged in server1 and if the user exists in server2 , then I have to transfer the user session details to server2. For this I used the following technique
From server1, redirect user to http://server2/auth_from_server1.php?sessionid=12345
On server2 (internally, in the PHP code of auth_from_server1.php), do a request to http://server1/secret/check_session_id.php with the sessionid, 12345.
On server1, in the implementation of check_session_id.php, validate the ID and return OK, FAILURE, and session related data you want to pass, such as username, ...
On server2, when the call returns with OK, store the transferred session data, and give the user a cookie and session for this server.
But when the call back function call the auth_from_server1.php the value in session id is null. I tryed to check the sessionid as
if(isset($_SESSION['sessionId']))
echo 'true';
else
echo 'false';
But $_SESSION['sessionId'] is null. In login page I am setting the value for session id as
$_SESSION['sessionId'] = session_id();
Thanks in advance....
Wouldnt it be easier to just store session data in a shared directory?
Alternatively you can store it in a database.
I would suggest writing a custom PHP session handler or using a prebuilt session handler like ShareDance. You can store session information in a MySQL database shared amongst the two machines, a SQLite file, etc.
There are many benefits to using PHP's built in ability to get/set session data by using session_set_save_handler() namely, that all calls to get or set from $_SESSION will work in your application code without any additional modification.
More information can be found here:
http://php.net/manual/en/function.session-set-save-handler.php
A tutorial on writing custom session handlers (old but still relevant) is here:
http://devzone.zend.com/article/141
When server 2 calls server1/secret/check_session_id.php it has to submit the session ID like server1/secret/check_session_id.php?sessionid=12345 and in check_session_id.php you have to call session_id($_GET['sessionid']) before session_start().
Another opportunity could be sharing the filesystem.
Since PHP puts the session in the filesystem, you could share the filesystem (sshfs for example) on both servers.
the setting for changing the destination directory in the php.ini is
session.save_path
This problem can quickly get out hand when you start adding more and more severs to the problem. One of the best solutions that I have found is to store the session on a database and share that database with the servers. Redis typically works great for this. Here is a great guide to get started with redis
I think to store an id of a user in DB is the most appropriate way to do this.It is an error proof way.
Cheers
Related
I was just wondering. Lets imagine i have a website with a login-system in PHP. And if the user succesfully logs in to the system the php sets something like: $_SESSION['user']="Loggedin".
And now, if you as a user of the website, could you just create your own PHP-script in your XAMPP folder or whatever and set the session user to loggedin and get access to my site?
Thanks!
No need to worry for this,
If you use Cookie for this then there's issue to be hacked and son on. But in Session, it will store on server side, so whether user can create a file and used or trying to get data from buy using session variable, they can't.
User can't get Session variable from the local server, they must have to access session variable from the same server.
And one more thing, this session is destroys when you close your browser.
A PHP session stores user information on the server for later use.
So if you are making a session on your localhost, with the same name, that doesn't influence the one on the website/server.
Remember that session information is temporary and will be deleted after the user has left the website.
I have a two diff. project on my XAMPP say it is Project1 and Project2.
When i login with Project1, i check authentication and if it is successful then stored session. The session name is $_SESSION['username'].
The above process is same with Project2.
now,to prevent direct access,i use this code(in both project):
if($_SESSION['username']=="")
{
header("location:index.php");
}
so when i login with Project1, i am also access Project2(without login).
To prevent this, i know that if i create diff. session name for both project then it is solved.
The above thing is in my local server. so i can create diff. session name for my all project.
But suppose my site is online and what happen if my session name is match with diff. site?
There is a millions of websites and there is a possibility that my session name is match with another website's session name.Then this might be happen that some user access my website with another website(in same browser) and he might be access my site without login.
So what happen if session is same for two diff. website? Can user is access my website without login?
If yes then what should i do to prevent it?
Thanks in advance.
UPDATE
according to #Let me see's answer there is a possibility that if two sites are running on the same server then they may share the data.
So suppose the server is sharing then what should i do to prevent it?
Sessions are (usually) stored using cookies, and cookies are domain-specific. So, it doesn't matter if google.com or evilhackerdomain.ru uses the same session name as your app; your cookies are only readable/usable by the domains you specify. Even in the unusual scenario that sessions are managed in some other way, it will be domain-specific.
So suppose the server is sharing then what should I do to prevent it?
To answer your follow up question. You can simply name your session on a specific website using session_name() before your session_start().
session_name('PROJECT1');
session_start();
this one-liner should do it.
Normally the sessionID of the sessions is stored in a cookie and it is related to the hostname and it can be shared by the multiple hostnames having the same domain. and as it is obvious that sessions are stored on the server . So there is a possibility that if two sites are running on the same server then they may share the data..Therefore you should always change the path for storing the sessions on the server for every different website
PHP Sessions are stored in Server. So there won't be any clash between same session names when you go live. Remember, You still have option to store your session in database, which helps you with more secutiry.
Nothing will happen. Because the other Site uses its own database (with own session and user tables). It would only matter if two Sites share the same Database, same tables and same session handling.
User cannot access without log in because of following reasons,
The session data is stored on the server. If two applications are running on the same server and the same domain name, then the possibility is there for them to share session data. Otherwise no conflicts with session values, if the domains are different.
I think if we use a security algorithm like MD5 to encrypt the session which you'll using to login. That will work without problem. For example:
$name_session='username';
$name_session=md5(md5(md5($name_session));
$_SESSION[$name_session]="username_logged";
There is a problem that I can not understand when working with Codeigniter Session Library. Same network users use same session (We work with a big company, and they said me this: When anybody logged in to system, then everybody logged in)! Is this possible? How, and what can I do for fix this bug?
I am using Codeigniter Core Session Library and it uses database.
It is more possible to have app logic error that a session one.
Maybe you can reproduce it if you try on your local development server to use 2 ore more different user accounts (from different browsers).
http://ellislab.com/codeigniter/user-guide/libraries/sessions.html
When a page is loaded, the session class will check to see if valid
session data exists in the user's session cookie. If sessions data
does not exist (or if it has expired) a new session will be created
and saved in the cookie. If a session does exist, its information will
be updated and the cookie will be updated. With each update, the
session_id will be regenerated.
I don't know where you read that same network users use the same session, but in the CodeIgniter-documentation, I find that the session is stored in a cookie, and network users will not have the problem you discribed.
Sorry for the newbie question! I'm making a small website that allows users to create their own accounts. It's not a banking system, and it's unlikely that someone would want to hack it. That said, I am trying to make it reasonably secure, as there are plenty of bored script kiddies out there.
Could someone describe a basic workflow for a user logging in and having a cookie set that will keep them logged in for 30 days?
At the moment I have the following:
Validate and sanitize inputted data.
Check supplied credentials against bcrypt hashed password in DB.
If correct then call "Login" function.
Login function:
a. Delete any session data from DB with userID (table with two columns: SessionString and UserID).
b. Add new session data to DB (newy random generated string and UserID).
c. Write random generated string and UserID to cookie.
d. Set $_SESSION("UserID") with $userID.
But although the two cookies are being created and written to, the $_SESSION("UserID") remains blank... I'm guessing because I can't write to $_SESSION any time I like?
And even once that's fixed, how do I use the data stored in the cookie to log a user in? I'm guessing I don't want to go to the DB on every page load. And it will still require me to create a database object to see if the credentials in the cookie are ok. Is this the right way to this?
Once again, apologies for the newbie question!
UPDATE:
Yes, I do understand the difference between $_SESSION variables and a cookies. I also have session_start() at the top of every page (right after <php with no blank lines). $_SESSION("UserID") just remains blank.
Here's the code from the top of the page:
<?php
session_start();
if(!isset($_SESSION['initiated'])) {
session_regenerate_id();
$_SESSION['initiated'] = true;
}
Thanks for the help.
First off, there is an important difference between a session and a cookie. When you use the $_SESSION[".."] you are creating a session (which lives on the server, compared to a cookie which lives on the client), even though the browser uses a cookie to keep track of the session id. To create a cookie you would use the setcookie() method.
That said, I would recommend you to read through this article which is a step-by-step guide on how to create a secure login script, with persistence using a cookie for a "Remember me"-feature. Describe how to do it in detail would be to extensive for an SO answer im afraid.
Side note:
To be able to write to the session, you might have to call session_start(); prior to getting or setting a session variable using $_SESSION[".."].
Did you write a custom session handler that has your session-files stored in the db? I guess you don't.
If you want to use $_SESSION you have to also do session_start(). When using PHP sessions the cookie to identify the user will be set for you. You will also get session files created in your /tmp directory. That's the location your variables and anything you assign to $_SESSION will be stored.
Unless you define a custom session handler, that will manage the location of the session files, you won't need to query your database. Just save the users credentials in $_SESSION.
See this Tutorial on how to use PHP sessions.
PS: You access arrays like this: $_SESSION["UserID"], not with ().
you might want want to look at this article in which i have already discussed about various types of session hijacking and how you could avoid it.
session security in php
Can PHP sessions be edited like cookies? Or they're stored on the webhost?
The session key is stored in the client's browser, while the data is stored on the server.
When the user makes a request on the server, their session key is sent across the network and the values associated with their key are retrieved from the specific session file on the server and are made accessible via $_SESSION.
It it possible to hijack another user's session if the key is intercepted, which is why you should have specific values in the session which associate to the user's computer/network connection (IP address, for example).
Session data cannot be edited by the user, as they are stored on the server. The user can, however, start a new session and ditch whatever session data he previously had. Also, you should be aware of portential security issues, such as session fixation.
Usually they're stored in the /tmp directory of a webserver if the host isn't careful. This can be changed with session_save_path(), it's something I do with all of my PHP applications that use sessions.
This works like below:
Browser requests page, submitting your SID or Session ID with help of a cookie or with the URL.
Server finds cookie files inside the session_save_path() and unserializes the array
You access that info with PHP
Alas, the only thing the client knows is the session's ID, but that can be hijacked, for example by using cookie stealers, or other Cross Site Scripting methods. If I, for example, got your SO session, SO wouldn't know better than I was you. Unless they also check my IP or something like that.