Is the solution simply to refuse login to browsers not supporting cookies?

That's the way I'd go...

However, have you considered comparing IP and seesion id? Or, better still, not using the session id at all, use the username and password instead and just use sessions to register a var like $authenticated whick will read TRUE after a successful login and remain true untill they close their browser or the session length expires...

Nick

>comparing IP

I'd like to do that, but I've read something or other about ISP's like AOL where the same user can have different IP's. It would be helpful for extra validation for sure.

>$authenticated.

OK, might be showing my ignorance here (again) ;)

If the sessionid is in the URL, and someone else loads up the page with the same sessionid, won't the username and password be associated with the sessionid? i.e. They would be seen as the "real" logged in user.

sure, don't do it that way though. Use the username and pass to identify, NOT the sessionid -- you're inviting such disaster by authenticating by sessionid

your $authenticated would only be valid for the current user. If someone else comes in with a sessionid in the url them fine, the $authenticated will read FALSE for them so you know they are not logged in ----- bring up the login form ;)

Nick

Store the time the session was last used and check whether it timed out yourself.

// Let's see whether sessionid is ok 
 $still_ok = time() - $config['session_timeout']; 
 $query = my_db_query("SELECT 
 s.username, 
 s.userid, 
 u.useremail, 
 u.userlevel 
FROM comments_session AS s 
INNER JOIN comments_user AS u 
ON s.userid = u.userid 
WHERE 
 s.sessionid = '$sessionid' 
AND 
 (s.ip = '$REMOTE_ADDR' OR s.userid = 0) 
AND 
 (s.lastaction >= '$still_ok' OR s.userid = 0) 
AND 
 s.needslogin = 0");

If the session is valid...

// update last access in database 
 $now = time(); 
 $query = my_db_query("UPDATE comments_session 
SET lastaction=$now 
WHERE sessionid='$sessionid'");

Andreas

Use the username and pass to identify, NOT the sessionid

Use the username and pass to identify when there is no or no valid session id. A session is no longer valid once it timed out.

When the session timed out, display a page for user to log in again. But you should store the data the user tried to submit or the page she tried to access. Once she logged in successfully, do whatever the user wanted to do but was prevented by the session time out. Donīt ignore the initial action the user tried to perform as so many badly designed pages do.

Andreas

Cheers for posting both,

I guess I've been reading off the wrong page ;)

So say I paste you a URL while im logged in...
page.php?PHPSESSID=123412341234....

So you load up the page on your browser by clicking on the link, and any validating script will recognise a username and password by association with the sessionid - that the script needs to identify the registered session as me.

If the sessionid is the same as the registered user, then how can any script tell the difference since the username and password are referenced by the sessionid? (I think this is where Im not getting it).

The IP address checking could clear that up a bit as Nick said. I've just read that checking the first 3 octets of an IP address is meant to be a good way to do it.

But still, am i getting this session/registered variables association thingy wrong or is this why I should be including IP addresses in the checkup?

What if we were both on the same network and I pasted you the URL? :)

I might just stick to cookies if I can't get my around this, or i might just be nitpicking here

Forget the sessionid entirely
It's throwing you off the goal.

here's the 'code flow' I'd recommend:

• User hit's page (any page)
  
• Page checks that $auth is TRUE
  
• If not, then go to login
  
• If yes, continue...
  

On login:

• check that the username and pass match in your db
  
• If so, set $auth=TRUE; -- Continue...
  
• If not, do your error msg stuff
  

Just use the session to carry the $auth var. It's not needed for any other function on this site...

Got it? ;)

Nick

Nick_W:
if u lost sessionid, where is your $authenticated?

What do u meant by login by username & password?
submit username/password every page?
then, is this login?

No, you only login if $auth is not set to true. If it's not there, then yes, you gotta login again. But if you are on the site using it normally you shouldn't lose your session. If you login then go have a bath or something and come back then it's pretty acceptable to have to login again as the session timed out...

Nick

If you send me your valid session id and I do something with it, then that is your responsibility not the website ownerīs. If you give somebody your banking card and tell them your PIN then you cannot hold your bank responsible claiming a lack of security of the ATM.

The idea is to prevent some outsider to hijack an account. Enforcing security against your own users is a whole lot harder and in some cases next to impossible.

Andreas

Nick ala stickymail ;)

So how are username and password passed from page to page to make $auth > TRUE without the sessionid coming into play in the URL?

They are not passed, although you could do that.

$auth is set to TRUE if the user validates right?

So we know the suer is validated if $auth is TRUE on each page. We pass $auth using sessions.

If cookies are enabled $auth is passed as a cookie, if not it's passed in the url.

With me?

Nick

Very intersting thread.

My question is the following, assuming we're using php here, what happens if php is using transparent id to pass around the SID?

Scenario: The user login, he's authorized, his browser doesn't support cookies so php reverts back to use the SID, but since it's transparent, in the browser address bar, the url looks like this: www.mydowmain.com/myproduct.php so technically, when he cuts and paste the url, does the id get compromised?

mavherick

I'm with you Nick.

But if I'm logged in and say to someone on messenger, "hey, check out this product" and they paste the URL (with session/auth/whatever) then how can you tell the difference.

Andreas?

Yes, Nick? ;)

How may I help?

But if I'm logged in and say to someone on messenger, "hey, check out this product" and they paste the URL (with session/auth/whatever) then how can you tell the difference.

I'm stumped ;)

Nick

If this about the messanger thing bol wrote ( <added>it is indeed ;)</added> ) and cookies are off then IMHO your only option is to check for the IP address. If you do not want to do that due to AOL customers and other people behind proxy servers, then there is little you can do. One could check the HTTP_X_FORWARDED_FOR request header field to check for the original IP the request came from. But not all proxies path along that information.

In the end this comes down to a trade off between usability and security. Personally I wouldnīt worry too much about this telling a friend your session id. Itīs your own fault when you do. As I wrote before you donīt go around telling people your PIN or other such data. If you do thatīs your own responsibility.

Andreas

Thanks Andreas ;)

That's pretty much what I figured but, wasnøt certain...

Nick

So I guess the use of transparent id here wouldn't solve the problem in this case? Can somebody explain to me why? I'd love to know where it fails so that I don't use that method thinking it's reliable.

thanks

mavherick

Sorry mavherick, it probably wasnīt Nickīs intent to ignore you. I agree with you that he needs to be more attentive to membersī needs in his new position as moderator. ;) But then this isnīt Nickīs forum, so I guess he is excused ;).

The problem is quite easily described. When someone else can get a valid session id then he can hijack that session and do whatever he or she wants within that session. This problems pertains to all session ids. A solution would be to check for IP addresses. This is a problem because for people behind a large proxy setup there is no guarantee that the same proxy will handle all requests from a specific user. So comparing IP addresses wonīt work. A suggested solution is to check only the first three octets or to check the x-forwarded-for header. Both arenīt fail-proof solutions.

When cookies are used then posting a URI to a forum or sending the URI to a friend wonīt jeopardize your session id which resides in the cookie. When it is in the URI, then everybody could use that session id to hijack the session identified by that is. This risk may be minimized by letting the session time out after a couple of minutes.

Andreas

hehe no problem, I totally understand what you're saying, I'm just trying to understand that if php is using transparent session id, that means that the session id isn't in the address bar (even when cookies are disabled, php automatically transfer it from page to page tranparently) so I would think that the cut and paste of URI wouldn't be a problem here. Am I wrong?

thanks for your answer.

mavherick

hehe, you cheeky chappy Andreas!

He's right, I didn't mean to igmore you at all ;) -- just getting ready to throw a party and things are a bit hectic ;)

even when cookies are disabled, php automatically transfer it from page to page tranparently

AFAIK that's impossible. Andreas is better at this stuff than me though,,,,

Nick

I'll go read on session again! I think I'm confused on the mechanics!

thanks

mavherick

The session id is said to be transparent because PHP will use either cookies or an URI parameter to transmit the session id. You donīt have to worry how PHP does it. One way or another it will always be there. However, HTTP being a stateless protocol cookies or URI parameters are the only way to pass along the id.

that means that the session id isn't in the address bar (even when cookies are disabled, php automatically transfer it from page to page tranparently

When cookies are disabled the session id needs to be in the URI or there will be no session id at all. Beyond cookies and URI there is no way for PHP to transparently pass along the session id.

Andreas

just getting ready to throw a party

Am I invited? With all those low fare carriers I could probably be in Denmark in about 90 minutes for just a few Euro. ;)

Have fun at your party!

Andreas

Just to add another point of confusion: If you decide that your method is to put session information in the URL if a browser doesn't accept cookies, then you may want to make special allowances for known robots so that you don't give googlebot and scooter and such session IDs in their URLs. It just seems better to have URLs that don't have session information in the engines.

Have fun at your party!

It's a 'gluk' (glu vin) party ;) -- pj-harvey and hot spiced wine ;)

Nick

Hey Nick, what are you still doing in front of the computer?

If you still post later on this evening may we expect you to sign with Hick instead of Nick again? ;)

Andreas