473,888 Members | 2,208 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

security of sessions

im just starting to learn how sessions work and how to use them

my question is if im geting a username and password from a visitor is it
secure to store that information in a session variable or is it better to
store that information in a database and retrieve it when needed or wouldnt
it make any difference??

thanks
chris
Jul 17 '05 #1
9 1895
Usernames and passwords should really be stored in a database, with the
password encrypted. You do NOT want such information sitting around in a
file that every Tom, Dick and Harry can read.

--
Tony Marston

http://www.tonymarston.net

"chris" <so*****@here.c om> wrote in message
news:41******** @funnel.arach.n et.au...
im just starting to learn how sessions work and how to use them

my question is if im geting a username and password from a visitor is it
secure to store that information in a session variable or is it better to
store that information in a database and retrieve it when needed or
wouldnt it make any difference??

thanks
chris

Jul 17 '05 #2
yeh thats what i thought

thanks

"Tony Marston" <to**@NOSPAM.de mon.co.uk> wrote in message
news:cl******** ***********@new s.demon.co.uk.. .
Usernames and passwords should really be stored in a database, with the
password encrypted. You do NOT want such information sitting around in a
file that every Tom, Dick and Harry can read.

--
Tony Marston

http://www.tonymarston.net

"chris" <so*****@here.c om> wrote in message
news:41******** @funnel.arach.n et.au...
im just starting to learn how sessions work and how to use them

my question is if im geting a username and password from a visitor is it
secure to store that information in a session variable or is it better to
store that information in a database and retrieve it when needed or
wouldnt it make any difference??

thanks
chris


Jul 17 '05 #3
>Usernames and passwords should really be stored in a database, with the
password encrypted. You do NOT want such information sitting around in a
file that every Tom, Dick and Harry can read.


Yes, the data is sitting around *ON THE SERVER*. That shouldn't
be a problem if you have your own server all to yourself, where all
the Dicks that can read the data should be your employees.

Even if you are on shared web hosting, it's only a small percentage
of the world that can read those files (but that's BAD enough). If
you are on shared hosting, though, this is a BIG issue.

I don't particularly like PHP's default session handling of sticking
everything in little files. I'd rather it put this stuff in a
database. And since PHP provides for session handlers, it's not
at all hard to do just that. Arrange for the session handlers to be
set in a file included by every page (if you've got access to php.ini
or Apache config files, there may be easier ways), and you shouldn't
have to touch any of the code that actually manipulates $_SESSION.

If you are sharing a server with other customers of the web host,
you have to worry about the security of your database also. How
do you store the password so YOUR scripts can use it and some other
customer using the same server can't?

You probably shouldn't be storing passwords in session data anyway.
$_SESSION is stored on the server and can't be faked by the browser.
So once you validate the password, simply recording that he
successfully logged in the session (and when) against your user
database is enough if you trust that session hijacking is difficult
enough to not be a problem.

Gordon L. Burditt

Jul 17 '05 #4
.oO(Tony Marston)
Usernames and passwords should really be stored in a database, with the
password encrypted. You do NOT want such information sitting around in a
file that every Tom, Dick and Harry can read.


True, but: If someone is able to read your session files then you should
also be concerned about your database security.

Micha
Jul 17 '05 #5
In article <cl********@lib rary2.airnews.n et>,
go***********@b urditt.org (Gordon Burditt) wrote:
Usernames and passwords should really be stored in a database, with the
password encrypted. You do NOT want such information sitting around in a
file that every Tom, Dick and Harry can read.


Yes, the data is sitting around *ON THE SERVER*. That shouldn't
be a problem if you have your own server all to yourself, where all
the Dicks that can read the data should be your employees.

Even if you are on shared web hosting, it's only a small percentage
of the world that can read those files (but that's BAD enough). If
you are on shared hosting, though, this is a BIG issue.

I don't particularly like PHP's default session handling of sticking
everything in little files. I'd rather it put this stuff in a
database. And since PHP provides for session handlers, it's not
at all hard to do just that. Arrange for the session handlers to be
set in a file included by every page (if you've got access to php.ini
or Apache config files, there may be easier ways), and you shouldn't
have to touch any of the code that actually manipulates $_SESSION.

If you are sharing a server with other customers of the web host,
you have to worry about the security of your database also. How
do you store the password so YOUR scripts can use it and some other
customer using the same server can't?

You probably shouldn't be storing passwords in session data anyway.
$_SESSION is stored on the server and can't be faked by the browser.
So once you validate the password, simply recording that he
successfully logged in the session (and when) against your user
database is enough if you trust that session hijacking is difficult
enough to not be a problem.

Gordon L. Burditt


Read

http://shiflett.org/articles/security-corner-mar2004

Chris' article provides a great hack to hide database creditentials and
talks about the problems with security and shared hosting. I'd gotten
around the "server must be able to read the files" problem by coding
stuff with passwords in protected CGI scripts and using CGIwrap

http://cgiwrap.sourceforge.net/

but the URLs become really long.

--
DeeDee, don't press that button! DeeDee! NO! Dee...

Jul 17 '05 #6
"Tony Marston" <to**@NOSPAM.de mon.co.uk> wrote in message
news:cl******** ***********@new s.demon.co.uk.. .
Usernames and passwords should really be stored in a database, with the
password encrypted. You do NOT want such information sitting around in a
file that every Tom, Dick and Harry can read.


Shared hosting is inherently insecured. Keeping the personal info in the
database doesn't buy you much, since people on the same server can not only
read your session files, they can also write to them. So an attack can gain
access to the info through the frontend by tinkering with the login/user id
inside his session file.
Jul 17 '05 #7
"Chung Leong" <ch***********@ hotmail.com> wrote in message
news:PK******** ************@co mcast.com...
"Tony Marston" <to**@NOSPAM.de mon.co.uk> wrote in message
news:cl******** ***********@new s.demon.co.uk.. .
Usernames and passwords should really be stored in a database, with the
password encrypted. You do NOT want such information sitting around in a
file that every Tom, Dick and Harry can read.
Shared hosting is inherently insecured. Keeping the personal info in the
database doesn't buy you much, since people on the same server can not

only read your session files, they can also write to them. So an attack can gain access to the info through the frontend by tinkering with the login/user id inside his session file.


On a second thought, maybe you shouldn't keep the personal info in a session
precisely because others can write the session files. You wouldn't keep it
there, after all, if you're not going to use it. Say you have something like

echo "<h1>Welcom e {$_SESSION['username']}</h1>";

If someone can go in there and modify the session, he can inject arbituary
contents into the page that the user sees. As there's no limit to how long a
session string can be, the attacker could stuff an entire HTML page in
there--a fake login page that steals the user's password for example.
Jul 17 '05 #8
>> >Usernames and passwords should really be stored in a database, with the
>password encrypted. You do NOT want such information sitting around in a
>file that every Tom, Dick and Harry can read.
Yes, the data is sitting around *ON THE SERVER*. That shouldn't
be a problem if you have your own server all to yourself, where all
the Dicks that can read the data should be your employees.

Even if you are on shared web hosting, it's only a small percentage
of the world that can read those files (but that's BAD enough). If
you are on shared hosting, though, this is a BIG issue.

I don't particularly like PHP's default session handling of sticking
everything in little files. I'd rather it put this stuff in a
database. And since PHP provides for session handlers, it's not
at all hard to do just that. Arrange for the session handlers to be
set in a file included by every page (if you've got access to php.ini
or Apache config files, there may be easier ways), and you shouldn't
have to touch any of the code that actually manipulates $_SESSION.

If you are sharing a server with other customers of the web host,
you have to worry about the security of your database also. How
do you store the password so YOUR scripts can use it and some other
customer using the same server can't?

You probably shouldn't be storing passwords in session data anyway.
$_SESSION is stored on the server and can't be faked by the browser.
So once you validate the password, simply recording that he
successfully logged in the session (and when) against your user
database is enough if you trust that session hijacking is difficult
enough to not be a problem.

Gordon L. Burditt


Read

http://shiflett.org/articles/security-corner-mar2004


This is an interesting hack, but your typical shared-host webhosting
customer does not have access to their own <Virtualhost> section
in httpd.conf, nor is it likely that an ISP will let that customer
put in an Include directive which may act as a denial-of-service
attack on the server.

Bugs in provisioning code that auto-generates <VirtualHost> directives
included by an Apache config file have been known to prevent the
web server from starting, due to such mistakes (yep, mine) such as
assuming the sales staff will never enter a domain name with an
embedded single quote into the database, or that MIS would not allow
such a name to get into the database when they said this was locked
out when they were asked. Similar problems could occur with syntax
errors in SetEnv directives in an include file. For that matter,
so would deleting the file. Note: another interesting denial-of-service
attack against Apache starting up on very, very old versions was
not paying your domain name renewal to Network Solutions. If it
dropped out of DNS and appeared in certain Apache directives, the
server wouldn't start.
Chris' article provides a great hack to hide database creditentials and
talks about the problems with security and shared hosting. I'd gotten
around the "server must be able to read the files" problem by coding
stuff with passwords in protected CGI scripts and using CGIwrap

http://cgiwrap.sourceforge.net/

but the URLs become really long.


This is interesting but I'm not sure I'd want to lose the advantages
of PHP as an Apache module. Chances are my hosting provider wouldn't
go for it either.

I keep database passwords in a PHP include file *OUTSIDE* the
document tree. This is my own server on my own property so shared
use isn't an issue. If PHP breaks (it's been known to happen briefly
while upgrading it and Apache, sometimes longer if the build didn't
work right), you can't get to the include file (although PHP files
are served as text files) and if PHP is working, the include file
is accessible but not exposed.

Gordon L. Burditt
Jul 17 '05 #9
chris wrote:

my question is if im geting a username and password from a visitor is it
secure to store that information in a session variable or is it better to
store that information in a database and retrieve it when needed or wouldnt
it make any difference??


Usually, you'd validate username and password, then store the username in a
session variable, along with a session variable indicating whether they'd been
authenticated or not. As long as the authentication variable is true, you can
assume they really are the username. It's generally considered bad practice to
keep passwords anywhere unnecessarily.

Regards,
Shawn
--
Shawn Wilson
sh***@glassgian t.com
http://www.glassgiant.com
Jul 17 '05 #10

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

5
1527
by: Wescotte | last post by:
I'm currently working on desiging several web based applications that would be grouped into a larger web based menu system. However I'm not sure exactly how to go about making it as secure as possible. I'm guessing most systems are setup in the following fashion. Create a single user account (I'll reference this account as ROOT) that has access to all the tables my applications will use. Create a table for storage of...
2
1512
by: JamesB | last post by:
I am half way through making a site you can only do certain stuff if logged in to. So far, you are logged in if there is a session variable with your username, but I got thinking that presumably someone who worked this out could make a cookie file with this info in and pretend to be another user. So... what's the recommended way? I thought of storing an MD5 hash of the login time in the session and in the database too, then on each...
9
2097
by: Marcus | last post by:
Hello, Currently all of my php pages use SSL, not just my initial login. Originally I thought this would be more secure, but after thinking about things and looking at sites like Amazon and Gmail, they all SSL the login scripts and then use regular http for everything else, which I'm sure speeds things up without the encrypt/decrypt process. I was going to change my scripts to reflect this model, but I saw in the php manual the...
5
1162
by: David W. Fenton | last post by:
I am posting this to the newsgroup because I wasted some time on Friday troubleshooting a problem of my own making. Other people might benefit from hearing about it. I'm working on the final touches to an app that's going to be run by 3 people in an office from their workstations, and about 10 other people remotely via Windows Terminal Server. The TS is set up and operating beautifully (I'm not the client's sysadmin, but I *trained* the...
5
1107
by: Keith | last post by:
I have found what I believe to be a serious security issue in ASP.Net. If you have: 1. Your website configured for anonymous access 2. Elect under web.config to set the sessionstate attribute of cookieless to true Anyone from any IP address or across another browser can copy the URL and work within the session. My question is "Why doesn't ASP.Net provide an option around ensuring
4
2025
by: tony | last post by:
I'm designing a survey form page that will be fairly complex and am becoming confident enough with PHP now to tackle most things. (Thanks to everyone here who has helped) Before I go too far with this I was wondering if anyone could perhaps offer advice or point me to any documents/web pages that could help with ensuring the security of the form/page and site. It is likely that the form will come under attack I expect. Even comments...
2
1300
by: smurph | last post by:
In ASP, when we authenticate a user we insert a record in a table containing data such as the client ip address and session id, the session id representing this record in the database is appended to the query string for each request. When a request is processed the session data in the database is compared to the clients session id and ip address and if it does not match then its access denied. This approach prevents cookies being stolen or...
0
1030
by: gyung | last post by:
I'm wondering if there is an easy way to test the security of my ASP site. I use a lot of server-side sessions and though I know it can be highjacked, sniffed, and isn't exactly a good use of resources, i need it to maintain a lot of states. I don't store sensitive information on the servers or in sessions, but it still contains personal data. I read through different sites and posts, and they basically say sessions are pretty secure, unless...
9
1586
by: dino d. | last post by:
Hi Everyone- I was reading a few posts about sessions and security, and it seems that the best way to address sessions security is to require authentication every time the user needs to get to sensitive data (or protect the session data with SSL). In other words, assume that the world can see your session data stored in cookies if you're not using SSL. So, I started looking for exceptions to this rule of thumb (requiring...
2
1940
by: Nosferatum | last post by:
This script is meant to limit access by sessions, using username and password from mysql db and redirect users after login according to a given value belonging to each user in the db (10,20,30,40). (the included config is just server settings, the login is just a login form). The script appear to connect but will not redirect users, it seems that even with correct login details, it won't validate.
0
9957
marktang
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look ! Part I. Meaning of...
0
9799
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
0
11173
Oralloy
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. Here is my compilation command: g++-12 -std=c++20 -Wnarrowing bit_field.cpp Here is the code in...
0
10434
tracyyun
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
0
9593
agi2029
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own.... Now, this would greatly impact the work of software developers. The idea...
0
7143
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert into image. Globals.ThisAddIn.Application.ActiveDocument.Select();...
0
5810
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
0
6011
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
1
4635
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.