473,320 Members | 2,035 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,320 software developers and data experts.

Session Security

I'm still a novice when it comes to session security issues. The
problems I'm trying to solve may be fairly common, but I haven't seen
examples of solutions in any of the books I've looked at.

I currently have a page called 'login.php' which requires the user to
provide a userid/password combination. If the user logs in successfully
(i.e., the supplied userid/password combination is in the mysql
database), the user is directed to a page called 'user_view.php'. This
page contains a form which allows the user to update certain data for
their account, such as email address and telephone extension.

The owners of the site would like me to modify the site in the following
ways:

1. If a user, who has logged in successfully, navigates to another web
site within the same browser session, and then attempts to use the Back
button to return to the 'user_view.php' page within the same session,
they will be redirected back to 'login.php' and required to log in again.

2. If the 'user_view.php' page remains static (i.e., no user
interaction) for a fixed number of minutes (to be determined), the user
is also redirected back to the login page.

In both cases, the purpose is to guard against situations where there
may be multiple users on the same computer within the same browser session.

However, I've tested problem #1 with the web page for my credit union's
web site, and they don't seem to have addressed this issue. With my
credit union, if I log in successfully to my account information, I can
still browse to other web sites and then use the Back button to return
to my 'secure' account information. So I don't know how easy/hard it is
to solve problem #1.

I have a basic understanding of how to set session variables or cookies
when a user hits a particular page. However, I'm not clear on how I
would unset these variables or cookies if the user leaves the site
within the current browser session. I don't know if this is a common
problem or not.

Is there a way to set a cookie containing a value such as 'user_logged',
which expires when the user leaves the page? Can anyone point me to some
examples that address these issues?
Jul 17 '05 #1
6 2844
>I currently have a page called 'login.php' which requires the user to
provide a userid/password combination. If the user logs in successfully
(i.e., the supplied userid/password combination is in the mysql
database), the user is directed to a page called 'user_view.php'. This
page contains a form which allows the user to update certain data for
their account, such as email address and telephone extension.
PHP is a server-side language. The changes you want
have more to do with the client side than the server.
The owners of the site would like me to modify the site in the following
ways:

1. If a user, who has logged in successfully, navigates to another web
site within the same browser session, and then attempts to use the Back
button to return to the 'user_view.php' page within the same session,
they will be redirected back to 'login.php' and required to log in again.
There are some ways to ask the browser not to cache a page (especially
one that is dynamic) in HTTP headers. This is more likely to be
successful if this is a https, not http, session. Once you leave
it, BACK won't take you back there without re-issuing the request
that created it (which the server can redirect).

It is also possible to use sessions and time out a session. If a
user comes back to user_view.php and the browser *DIDN'T* cache it
(if the browser DID cache it, the server won't see a request and
can't do a darned thing about it), but is re-issuing the request,
user_view.php can see that the session has expired and redirect it
back to login.php. Normally each page refreshes the session, so
if the user keeps clicking often, the session can stay open indefinitely,
but if the user goes away for, say, 5 minutes, the session ends.

For security, provide a "LOG OUT" button on every page in the
secure session. Of course, not all users will use it, but it's
still better than not having one.

2. If the 'user_view.php' page remains static (i.e., no user
interaction) for a fixed number of minutes (to be determined), the user
is also redirected back to the login page.
This is entirely a client-side issue. Some people try to
solve this issue with Javascript, which is Turned Off(tm).
I have a basic understanding of how to set session variables or cookies
when a user hits a particular page. However, I'm not clear on how I
would unset these variables or cookies if the user leaves the site
within the current browser session. I don't know if this is a common
problem or not.
Your server doesn't get told when the user leaves the site.
It's none of your business.
Is there a way to set a cookie containing a value such as 'user_logged',
which expires when the user leaves the page?


Depending on how you define 'leaves the page', such a cookie may
*ALWAYS* expire, so there's no point in sending it in the first
place.

Gordon L. Burditt
Jul 17 '05 #2
bonehead <se**********@here.org> wrote in message news:<dt%Kc.3842$Qv4.875@lakeread03>...
I'm still a novice when it comes to session security issues. The
problems I'm trying to solve may be fairly common, but I haven't seen
examples of solutions in any of the books I've looked at.


<snip>

<http://martin.f2o.org/php/login> and
<http://www.devshed.com/c/a/PHP/Creating-a-Secure-PHP-Login-Script/>
might be the good start.

--
| Just another PHP saint |
Email: rrjanbiah-at-Y!com
Jul 17 '05 #3
While the city slept, bonehead (se**********@here.org) feverishly typed...

[login script]
1. If a user, who has logged in successfully, navigates to another web
site within the same browser session, and then attempts to use the
Back button to return to the 'user_view.php' page within the same
session,
they will be redirected back to 'login.php' and required to log in
again.
Hmm... My first thought was http_referrer, but that is not reliable. My
second thought, which may be better, was to pass a value to the page from
the links within your secure area, eg. <a
href="securepage.php?insite=true"> - then check to see if "insite" is set to
"true" in your pages. If not, log them out and redirect to the login page.
Still not completely secure though...
2. If the 'user_view.php' page remains static (i.e., no user
interaction) for a fixed number of minutes (to be determined), the
user
is also redirected back to the login page.


When you start your session, write the current time stamp to the session.
Write a second value to the session which is the limit in seconds (so, for 5
minutes, 5*60 = 300). When a new page is opened, check the session, get a
new current time stamp, and if that is greater than the session time stamp +
the time limit, then the session has timed out. Log the user out and
redirect to the login page. Otherwise, write the new current time stamp to
the session and carry on. This is off the top of my head as I remember doing
it (fairly recently, but sleep and Marstons Pedigree have both occurred
since then!)

Hope that helps,
Nige

--
Nigel Moss
http://www.nigenet.org.uk
Mail address not valid. ni***@DOG.nigenet.org.uk, take the DOG. out!
In the land of the blind, the one-eyed man is very, very busy!
Jul 17 '05 #4
> <http://martin.f2o.org/php/login> and
<http://www.devshed.com/c/a/PHP/Creating-a-Secure-PHP-Login-Script/>
might be the good start.


I was looking for a good secure login example and the example above
has popped up a few times on various sites. One site contained quite a
bit of criticism about the example above and even though this may be
an *angry* individual, I was wondering if anyone was aware of any
examples out there that are proven to be secure enough to implement on
a content management type website?

Cheers
Jul 17 '05 #5
http://us2.php.net/reserved.variables

'HTTP_REFERER'
The address of the page (if any) which referred the user agent to the
current page. This is set by the user agent. Not all user agents will
set this, and some provide the ability to modify HTTP_REFERER as a
feature. In short, it cannot really be trusted.

This is a variable that you can check.
If the variable is NOT from your your domain? You could flip your
switches, re-reoute the user to the login or whatever you wanted...
Just build a simple URL parser and find out what domain... Be aware
you should check for MULTIPLE domains. I have seen stuff similar to:
http://www.domain.com/blahblahblah.......blahblahblah

Hope that helps...
Jul 17 '05 #6
On Tue, 20 Jul 2004 08:39:01 -0700, Brian Scott O'keefe wrote:
http://us2.php.net/reserved.variables

'HTTP_REFERER'
The address of the page (if any) which referred the user agent to the
current page. This is set by the user agent. Not all user agents will
set this, and some provide the ability to modify HTTP_REFERER as a
feature. In short, it cannot really be trusted.

This is a variable that you can check.
If the variable is NOT from your your domain? You could flip your
switches, re-reoute the user to the login or whatever you wanted...
Just build a simple URL parser and find out what domain... Be aware
you should check for MULTIPLE domains. I have seen stuff similar to:
http://www.domain.com/blahblahblah.......blahblahblah

Hope that helps...

The referrer can _NOT_ be used in a reliable fashion for _anything_. What
happens when I send 'Referrer modded by Ian' rather than anything you
might be expecting? And before you say "you're an idiot for doing that"..
sure, I'm unlikely to spend my time doing something like that, but some
windoze "firewalls" block referrers.. or many other applications can
modify / block referrer headers, so they're pretty much null&void.

Regards,

Ian

--
Ian.H
digiServ Network
London, UK
http://digiserv.net/

Jul 17 '05 #7

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

9
by: Pack Fan | last post by:
I've noticed that session variables will persist on Mac IE even after all browser windows have been closed. One must quit the program to clear the session variables. This presents a security risk...
1
by: Scott Wickham | last post by:
I'm having a problem saving session information on one form and retrieving it on a subsequent form...for only one out of a number of users. Actually, I'm not absolutely certain it's a session...
9
by: Marcus | last post by:
Hello, Currently all of my php pages use SSL, not just my initial login. Originally I thought this would be more secure, but after thinking about things and looking at sites like Amazon and...
14
by: Paul Yanzick | last post by:
Hello, I am trying to develop a book tracking application for my capstone in school, and am running into a problem. The application is an ASP.Net application written in C#. The first page you...
5
by: Ĺženol Akbulak | last post by:
Hello; I use in my web application FormsAuthentication. Also I use Session state (InProc). When a user logged in, I can read Session parameters. (For example Session). Problem is that, when...
9
by: Adrian Parker | last post by:
We have a website that works everywhere but on a few PCs on this one site.. Asp.Net 1.1 Server = Windows 2003 Client = XP In the web.config we use - cookieless="false" in the browser settings...
13
by: | last post by:
Simple question, I think... I'm storing an object in the Session object. In the code behind I read that object: trx = CType(Session("Transaction"), BOCSTransaction) If I change any...
6
by: Bhagya | last post by:
Hello, On the LogOut Page i have done Session.Abandon(); And on every Page, In the Page_Load Event i check if the session exists and only then display data. Now the problem is after i logout from...
43
by: davidkoree | last post by:
I mean not about cookie. Does it have something to do with operating system or browser plugin? I appreciate any help.
13
by: Samir Chouaieb | last post by:
Hello, I am trying to find a solution to a login mechanism for different domains on different servers with PHP5. I have one main domain with the user data and several other domains that need...
0
by: ryjfgjl | last post by:
ExcelToDatabase: batch import excel into database automatically...
0
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
1
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: Vimpel783 | last post by:
Hello! Guys, I found this code on the Internet, but I need to modify it a little. It works well, the problem is this: Data is sent from only one cell, in this case B5, but it is necessary that data...
0
by: jfyes | last post by:
As a hardware engineer, after seeing that CEIWEI recently released a new tool for Modbus RTU Over TCP/UDP filtering and monitoring, I actively went to its official website to take a look. It turned...
1
by: Defcon1945 | last post by:
I'm trying to learn Python using Pycharm but import shutil doesn't work
0
by: af34tf | last post by:
Hi Guys, I have a domain whose name is BytesLimited.com, and I want to sell it. Does anyone know about platforms that allow me to list my domain in auction for free. Thank you
0
by: Faith0G | last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...
0
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 3 Apr 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome former...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.