Posted by Gordon Burditt on 03/13/07 02:07

>I was reading a few posts about sessions and security, and it seems
>that the best way to address sessions security is to require
>authentication every time the user needs to get to sensitive data (or
>protect the session data with SSL). In other words, assume that the

Having to put a password on every page view gets tedious, fast.

>world can see your session data stored in cookies if you're not using

Session data is not stored in cookies or anywhere on the browser.
Session identifiers are often stored in cookies. A session identifier
is sensitive while the session exists (due to possibility of sesson
hijacking) but it does not contain credit card numbers, etc. itself.
An expired session identifier is (on a properly designed site)
worthless.

>SSL. So, I started looking for exceptions to this rule of thumb
>(requiring authentication for sensitive data, even if the user has
>already logged in and has session data in a cookie), and I found one
>on ebay. If you log on to ebay, and then go to your personal
>information, and then try to edit, say, your credit card information,
>you are asked to log in. However, if you check the check box that
>says "keep me logged in for 1 day unless I log out" (or whatever), you
>no longer have to log in to get to your credit card information. So
>obviously, they have secured the session data without SSL (or https).
>How is this accomplished? Is there an equivalent construct in PHP?

If you have an unexpired session, that session ID can be used to
access whatever information the site will let you do with it (for
example, order something and charge it to your saved credit card).
That's effectively what Ebay is letting you do by extending how
long your session lasts. Session expiration doesn't have to be a
fixed time.

Note: some sites have special rules for security:

1. If you change your password, you have to supply the old password
EVEN IF YOU ARE LOGGED IN. It's just too easy for someone to spot an
unattended computer, change the password, and own the account forever.
2. You cannot *EVER* look at the full credit card number being used,
(last 4 digits, maybe) although you can change it.
3. You may have to enter your password to view stored personal data,
if that's possible at all, EVEN IF YOU ARE LOGGED IN. Changing
personal data may be less sensitive than reading it.

• Next in forum: Re: c-sharp
• Prev in forum: Re: php/mysqlclient compile problems.
• Thread view: Re: sessions and security

[Reply to this message]