Re: [PHP-DB] session management
Here I have a blog I setup but have not finished regarding web application authentication which includes source code and classes you can utilize. Unfortunately I have not been able to finish writing the article due to three jobs and school work. I can however assist you in getting it up and running via this message board. http://wtf-jas.blogspot.com/2010/04/web-application-authentication.html Richard Quadling wrote: On 22 April 2010 18:56, Vinay Kannan wrote: Hey Guys, I need some help on an effficient session management, right now what I do is check if the user has loggedin using his username, and create a SESSION['logged']=1, setting a login flag actually, I am not sure if this is the best way ? What do you guys use for sessions, and which is the best possible way ? Thanks, Vinay https://code.google.com/p/loginsystem-rd/ This was developed as an easy "drop-in" secure login facility. It may give you some mileage. -- Jas -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] session management
On 22 April 2010 18:56, Vinay Kannan wrote: > Hey Guys, > > I need some help on an effficient session management, right now what I do is > check if the user has loggedin using his username, and create a > SESSION['logged']=1, setting a login flag actually, I am not sure if this is > the best way ? > > What do you guys use for sessions, and which is the best possible way ? > > Thanks, > Vinay > https://code.google.com/p/loginsystem-rd/ This was developed as an easy "drop-in" secure login facility. It may give you some mileage. -- - Richard Quadling "Standing on the shoulders of some very clever giants!" EE : http://www.experts-exchange.com/M_248814.html EE4Free : http://www.experts-exchange.com/becomeAnExpert.jsp Zend Certified Engineer : http://zend.com/zce.php?c=ZEND002498&r=213474731 ZOPA : http://uk.zopa.com/member/RQuadling -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] session management
If you are worried about speed in regards to the server accessing session information then you will want to utilize the mcache service daemon as well as the php mcache libraries in your code. Session hijacking attacks on web applications involve utilizing known attack vectors such as the static method of the PHP global session_id(). Essentially allowing an attacker to 'guess' a session id and attempt to create a local cookie matching that id in order to access a web application as the user whose session id is being spoofed. For more information -> http://en.wikipedia.org/wiki/Session_hijacking Cross site request forgery is more involved and can be read about here -> http://en.wikipedia.org/wiki/Cross_site_request_forgery One method of helping keep your application safe is to utilize common unique identifiers per user such as information per page request stored in the $_SERVER super global within PHP. Remote_addr, user_agent, and referrer and three good unique identifiers in which to prevent attackers from hijacking users sessions. You may also want to lookup information regarding regeneration of the session_id on each new page request an authenticated user visits. This will help prevent another attack vector known as session fixation. I am no expert, but research and testing are key. Everyone does it different but my method involves the following steps: 1. Present login form for user 2. Require server side to process input using PHP 3. Check your authentication source (database, flat file, ldap, or directory server for user credentials) 4. Create public/private key pair along with encryption IV and associate private key and IV with user account as well as unique identifiers (do not send this information back to client as it is used to decrypt our authentication token later) 5. Gather unique identifiers of user (ip address, browser type, referring page), including the public key that was generated 6. Use private key to encrypt each variable and then encode as a utf-8 compatible string in order to register as a session variable on server (within mcache, mysql or default flat file) 7. On each page user requests ensure their token is valid by using the following steps: - check token length - decrypt token information - re-authenticate user in database, flat file or other authentication source - ensure unique variables are the same to protect against session hijacking - ensure user requesting protected pages are coming from your site by checking decrypted value of the user referrer - if all checks pass simply regenerate the session id and allow for the user to access the page requested I hope this makes sense to you and I am sure its a bit to digest but it should get you started and give you some things to think about. Vinay Kannan wrote: Hi Jason, Yes this is going to be a public facing application with 3 level heirarchy, and maybe around 100 tiny companies(3-4 employees) using it. App is going to be on a Hosted Server. DB session mgmt would be a bit slower, is it? I have thought about cross site forgery and session hijacking, but the more I think about it, I realize the lesser I know about it all :( So thought this would be the best place to start. Thanks, Vinay On Thu, Apr 22, 2010 at 11:19 AM, Jason Gerfen wrote: How secure would you want it? Is this is a public facing web application? Are you in a shared hosting environment vs. a dedicated hosting environment? Do you require alternative session management such as database or mcache vs. flat file session support? Have you thought about cross site request forgery's? session hijacking etc? There are tons of things to take into consideration but setting a flag per user session is indeed one method of ensuring a user has authenticated. Vinay Kannan wrote: Hey Guys, I need some help on an effficient session management, right now what I do is check if the user has loggedin using his username, and create a SESSION['logged']=1, setting a login flag actually, I am not sure if this is the best way ? What do you guys use for sessions, and which is the best possible way ? Thanks, Vinay -- Jas -- Jas -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] session management
Hi Jason, Yes this is going to be a public facing application with 3 level heirarchy, and maybe around 100 tiny companies(3-4 employees) using it. App is going to be on a Hosted Server. DB session mgmt would be a bit slower, is it? I have thought about cross site forgery and session hijacking, but the more I think about it, I realize the lesser I know about it all :( So thought this would be the best place to start. Thanks, Vinay On Thu, Apr 22, 2010 at 11:19 AM, Jason Gerfen wrote: > How secure would you want it? Is this is a public facing web application? > > Are you in a shared hosting environment vs. a dedicated hosting > environment? Do you require alternative session management such as database > or mcache vs. flat file session support? > > Have you thought about cross site request forgery's? session hijacking etc? > > There are tons of things to take into consideration but setting a flag per > user session is indeed one method of ensuring a user has authenticated. > > > Vinay Kannan wrote: > >> Hey Guys, >> >> I need some help on an effficient session management, right now what I do >> is >> check if the user has loggedin using his username, and create a >> SESSION['logged']=1, setting a login flag actually, I am not sure if this >> is >> the best way ? >> >> What do you guys use for sessions, and which is the best possible way ? >> >> Thanks, >> Vinay >> >> >> > > > -- > Jas > >
Re: [PHP-DB] session management
How secure would you want it? Is this is a public facing web application? Are you in a shared hosting environment vs. a dedicated hosting environment? Do you require alternative session management such as database or mcache vs. flat file session support? Have you thought about cross site request forgery's? session hijacking etc? There are tons of things to take into consideration but setting a flag per user session is indeed one method of ensuring a user has authenticated. Vinay Kannan wrote: Hey Guys, I need some help on an effficient session management, right now what I do is check if the user has loggedin using his username, and create a SESSION['logged']=1, setting a login flag actually, I am not sure if this is the best way ? What do you guys use for sessions, and which is the best possible way ? Thanks, Vinay -- Jas -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Session management
On 7 Feb 2002, at 18:36, Danny Kelly wrote: > Hello, > I am trying to set up a session management system for my site. Check > out my site (under development) > http://www.planttel.com/newsite2/home.php I have a user auth system > installed already. What I want is when a customer clicks on log in > that it will prompt them for a user name and password (which I have > established) with a check box that says "Remember my password" So when > the user comes to the site they will already be logged.. Can some one > shed some lite on that for me.. A TOTAL NEWBIE!!! You should read the following. The example code is in Perl but the concepts are the same: > Basic Cookie Management http://www.stonehenge.com/merlyn/WebTechniques/col61.html Randal really slams bad cookie management. Me, I don't like using cookies at all anyhow. I like putting it in the url. Perl has more than a few CPAN modules to handle this. But it would be a lot of work to re-write any of those in PHP. I'm pretty much a PHP newbie myself. I often look here for "classes": http://phpclasses.upperdesign.com/ And here are some for session management: http://phpclasses.upperdesign.com/browse.html/class/21/ I just recently put Sessionara on a site I'm developing but the docs are skimply and it didn't work for me out of the box as I would have liked. But you might want to look at it. One thing is that it uses global and I HATE using global. This does not use cookies. I think you want a system that uses cookies. Try phpbuilder.net http://phpbuilder.net/search/?sort=Score&method=and&config=forum&restri ct=&exclude=&words=sessions Lots of stuff there. They probably have an article. Peter --- "Reality is that which, when you stop believing in it, doesn't go away". -- Philip K. Dick -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
