|
|
Posted by Gordon Burditt on 10/12/24 11:19
>I'm building a database and I basically need to keep out people who
>aren't authorized, but it's not like I need top security here. I'm just
>doing basic user/pass of a SQL database, and when a user authenticates
>I start a session for him.
PHP typically starts a session for *ANYONE*. Sessions are also
used in user tracking with no need for logins or authentication.
If by this you mean "when a user authenticates I mark the session
as logged in", fine.
>My question is, is there any way for a hacker to easily start a session
>without having logged in?
PHP will typically start as session for anyone who goes to the login
page, BEFORE they log in. That session won't be marked as logged in,
though.
Is it easy to GUESS an existing session of another user? In general,
no, unless the hacker is not guessing but gets the session from the
user's computer (say, by using the user's computer to look at stored
cookies), or he uses a packet sniffer to watch the user's traffic,
or he simply uses the user's computer (while user is at lunch) to
go back to your site.
>For instance, if I save the user name and IP
>address in the session will it be relatively tough to fake a session?
If you check the session for being logged in on every page (e.g.
you check that $_SESSION['logged_in_user'] is set to *SOMETHING*,
which you won't do unless they logged in), and you validate that
the IP still matches, that's fairly secure, as long as you're not
protecting things like actual money, medical records, nuclear launch
codes, or SSNs. You don't need to re-check the password every time.
And if you carry the password from one page to the next in a hidden
field (so the user doesn't have to type it in on every page), that's
even LESS secure as there are more copies of it going over the net
and into the user's cache.
I recommend using a session timeout, as short as you can without
inconveniencing users, consistent with the security risk. It does
help with the "unattended computer" problem. My bank uses a timeout
of 10 minutes. "Where's George" (a site where you can track where
dollar bills in your wallet have been and where they go after you
spend them) uses 1 week by default (but who CARES if hackers or the
government can enter bills on my account or see serial numbers of
bills I've had in the past? If I was nervous about that, I wouldn't
use Where's George at all. I would prefer that nobody post death
threats on the forum in my name, but that's unlikely.)
Beware that validating the IP can cause problems: some users (AOL
users seem to be the example for this, but it's not only them) go
through load-balanced proxies, so just about every page, or piece
of a page, they come through may appear to be from a different IP.
If you reject them for that, they won't be able to use your site
usefully.
Incidentally, sometimes Apache .htaccess is a very nice fit to access
control rather than using sessions. It's nice primarily because
browsers are prepared to keep the info in memory so the user doesn't
have to enter it all the time, but it's not stored on disk. However,
..htaccess doesn't do timeouts, which is often a problem.
Gordon L. Burditt
Navigation:
[Reply to this message]
|