Solved: Secure sessions in PHP

TheRobatron · 05-May-2008, 06:18 AM #1

I'm trying to incorperate sessions into an admin section of my site but I'm a bit confused about how to actually authenticate a user as they go to each page. I have looked at quite a few tutorials but they don't seem to explain it. I've heard that you shouldn't store the username and password in session variables and you should store a session ID instead. Where is the session ID stored server-side, how is it created, and how is it cleared when the session expires?

I'd be grateful for any help.

TheRobatron · 10-May-2008, 12:36 PM #2

Bump. Has nobody here worked with secure sessions?

brendandonhu · 10-May-2008, 03:46 PM #3

You can store the username and password in session variables, just not in a cookie. The session ID is stored in a cookie (usually.) This is secure, assuming your server or webhost is setup properly.

Typically, you would authenticate the user, then just store a session variable like $logged_in = true; or $user_id = 5;.

Mudley · 10-May-2008, 10:38 PM #4

i've never worked with sessions at all.
my site is too big for sessions

TheRobatron · 11-May-2008, 03:56 AM #5

Thanks for your replies. Would I store the session ID in the MySQL database with the login details, or somewhere else so it knows who is logged in?

Big-K · 11-May-2008, 05:01 AM #6

http://us3.php.net/manual/en/function.session-id.php

brendandonhu · 11-May-2008, 07:42 PM #7

Session IDs are typically saved in a temp file (session.save_path in php.ini.) There are also 3rd-party session management implementations that use MySQL if you prefer.

TheRobatron · 12-May-2008, 01:28 PM #8

So can I just store the session ID in the members database, and use session_id() to find the ID and logon the user? Would this be insecure because of the stored session ID, or would that method work?

brendandonhu · 12-May-2008, 09:25 PM #9

The session ID is stored by PHP. You can store the user's ID in a session variable, like $_SESSION['user_id'].

TheRobatron · 13-May-2008, 01:04 PM **#10**

So to authenticate someone would I store the username and password in session variables? I'm reading a book on website security and it says not to do that...

brendandonhu · 14-May-2008, 12:47 PM **#11**

You don't need store both, just authenticate the user and then store the username in a session variable.

TheRobatron · 14-May-2008, 05:18 PM **#12**

Sorry if I sound picky, but doesn't that make session hijacking really easy? The username is a known variable, so all someone would need to do is create a fake session with the username session variable.

brendandonhu · 14-May-2008, 10:33 PM **#13**

Session variables are stored on the server. The user can't set/change them.

TheRobatron · 15-May-2008, 12:06 PM **#14**

I get it now

Thanks for all your help!

brendandonhu · 15-May-2008, 06:24 PM **#15**

Search
Search in:
Show Threads Show Posts
Advanced Search

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)