PHP - Session Security
What is the best method to prevent session hijacking / fixation and all the nasty bugs that come with using session_start();
I am looking at implementing session_start() on a member site, to handle logins if registered. How would I protect the session information? Similar TutorialsHi all ! Hi, I have just started learning about sessions to use with a login system with SQL Now I was wondering if my method is secure? When login in before setting the $_SESSION variables I use the session_regenerate_id() function. All passwords and ids are stored as SHA-256 hashes in the MySql DB. I use the mysql_escape_string() and htmlspecialchars() functions to sanitize the input values of all DB query's and SESSION variables. Also the login page can only have 3 wrong attempts before the user is locked out. with a captcha after the first attempt. Once the user logs in on each 'protected' page it checks the variables in the $_SESSION variable against the DB value on each page if they do not match then it brings the user to login page. Also on start of each page: if (isset($_REQUEST['_SESSION'])) {die('No Hacking');} Just wondering am I missing something? Thanks, mme Hi This is the senario: User logs in, if successful connection details for his database are stored in a session variables which are used to access information. Are there any precautions I need to make sure the data in the sessions are safe? Thanks I have issues with a user being logged in and staying logged in, When logging in I create these $_SESSION variables Array ( [usr_login] => username [usr_fname] => first [usr_lname] => last [usr_email] => email [ses_usrid] => 1 [loggdin] => Yes [loginremember] => ) And after login it looks great till I refresh the page or go anywhere else on the site. All variables above are gone. Consequently, this works with no issues on the prod server, just not on my machine. Code I've been playing with since it started, specifically the setting of the cookie. (this code runs before anything else) // ================================================================= // Sesssion start // ================================================================= session_set_cookie_params( 0, "/; SameSite=Strict", ".killgorack.com", true, true ); session_start(); // ================================================================= // Security stuff // ================================================================= header("strict-transport-security: max-age=31536000"); header('X-Frame-Options: sameorigin'); header("X-XSS-Protection: 1; mode=block"); header('X-Content-Type-Options: nosniff'); header("Content-Security-Policy: default-src BLA BLA BLA "); header("Feature-Policy: vibrate 'none'"); header("Referrer-Policy: no-referrer"); header("Access-Control-Allow-Origin: https://www.MYWEBSITE.com/"); header("Expect-CT: max-age=86400, enforce"); header_remove("X-Powered-By"); // ================================================================= Any ideas? Edited May 19, 2019 by KillGorackI have a business social network site on hosting server. I am wondering if sessions are enough secure. ini_set('session.use_only_cookies', 1); //this prevent Session Fixation? session_start(); if($_SESSION['loggedIn'] && $_SESSION['userIP']==$_SERVER["REMOTE_ADDR"]) // extra security //user is logged in, assign all data to this profile from session else //user is not logged in, no data are assigned Would you consider that as enough secure? Hi, I'd like to know the security of assuming session variables and using them for secure membership systems. Could a malicious user not create a session, then change the session username to another user and effectively login as that user? As I see it, no. Because session data is stored on the server and only a session id is stored on the client by way of a cookie. But what if we used cookies? What is the solution to this? Because I know I could easily change ANY variables within a cookie. I guess storing cookie data via db would help. But what is the best practice solution? I see a lot of code which simply checks for a cookie with the variable 'logged_in' to true. It then manages the user by username or userid which are stored within the cookie but which can be changed with ease by a malicious user. Hi guys,
I would like to have a security measure in place to prevent unauthorized access to my site without a valid log on.
At the moment, it would let anyone in without destroying the session and redirecting to index page.
What would i "use" that's created in the session? what's the "best" practice
My understanding is that the session variable is stored in the browser, after a successful log in, that session variable is like baton or a key that's "passed" onto the next page.
- if someone tried to bypass the log on with the session then access is denied or redirected away.
So on my index page to start i have:
<?php session_start(); /* clear all session variable */ $_SESSION = array(); /* set a session variable for later use */ $_SESSION['what_page'] = "admin00"; ?>What do i need to have to use the session against unauthorized access? my guess is: if(!isset($_SESSION['what_page']) || $_SESSION['what_page'] != "index.php") { $_SESSION = array(); session_destroy(); header("Location: index.php"); exit(); }So to me that means; - if 'what_page' is not set from the index page, don't go any further, re-direct (back to index) If i remove this and use a known username and password, i am able to log into the correct page, but this session validation is the bit that's not working please could you help? I'm trying to create a simple session on a form page that determines if you've signed in. If you haven't, it kicks you to the login page. But for some reason, what I have isn't doing that. When I open the page, it loads, but only prints the url on a blank page, instead of actually going to the url. Code: [Select] <html> <title>form</title> <link rel="stylesheet" type="text/css" href="style.css"> <body> <?php session_start(); if(isset($_SESSION['id']) && is_numeric($_SESSION['id'])) { if (isset($_POST['submitted'])) { $errors = array(); if (empty($_POST['scientific_name'])) { $errors[] = 'you forgot to enter the scientific name'; } else { $sn = trim($_POST['scientific_name']); } if (empty($_POST['common_name_english'])) { $errors[] = 'you forgot to enter the common name'; } else { $cne = trim($_POST['common_name_english']); } $description4 = trim($_POST['common_names_spanish']); $description5 = trim($_POST['common_names_french']); $description6 = etc. etc. if (empty($errors)) { require_once ('3_z_mysq1_c0nn3ct.php'); $query = "INSERT INTO plantae (scientific_name, common_name_english, etc.) VALUES ('$sn', '$cne', '$description4', '$description5', '$description6', '$description7', etc.)"; $result = @mysql_query ($query); if ($result) { if(isset($_POST['scientific_name'])) { $plant_id=mysql_insert_id(); } exit(); } else { echo 'system error. No plant added'; echo '<p>' . mysql_error() . '<br><br>query:' . $query . '</p>'; exit(); } mysql_close(); } else { echo 'error. the following error occured <br>'; foreach ($errors as $msg) { echo " - $msg<br>\n"; } } // end of if } // end of main submit conditional echo '<form action="insertaplant1.php" method="post"><fieldset><legend><b>Enter your new plant here</b></legend> form fields here. </form>'; } else { $url = 'http://'.$_SERVER['HTTP_HOST'].dirname($_SERVER['PHP_SELF']); if((substr($url, -1) == '/') OR (substr($url, -1) == '\\') ) { $url = substr($url, 0, -1); } $url .= '/login.php'; echo $url; exit(); } ?>
I am trying to install a script on my OpenSuse Webserver, and I managed to resolve most of the errors except of one: The value for session.save_path (/tmp) is not writable for the web server. Make sure that PHP can actually save session variables.
That seems to be the problem.
session.save_path: writeable You need set permission for your var directory.
well - i guess that the default ownership may be incorrect on the session folder: Example; php on some Linux-Server defaults to apache user. If using nginx or other need to switch the folder ownership. Also as a note you have to change the user/group setting in www.conf.
chown -R root:nginx /var/lib/php/7.0/ sed -i 's/apache/nginx/g' /etc/php-fpm-7.0.d/www.conf service php-fpm-7.0 restart
But wait: what about the security - is it save to make the session.save_path writeable!? my server-admin says that this is a big big hole and makes the server unsecure. love to hear from you yours dil_bert by the way: years ago i have had this issue on the server. but the question is - is this a securitiy risk!? I need to know this. Look forward to hear from you Edited March 21, 2020 by dil_bertI am trying to create an index page which contains registration and login field the problem that i get is on successful login a warning is displayed session_start() [function.session-start]: Cannot send session cookie - headers already sent by (output started at C:\xampp\htdocs\Eventz.com\index.php:116) in C:\xampp\htdocs\Eventz.com\index.php on line 235 This is the login part of my index.php this tag is inside an html table below the login form I also have a registration form and its php code above the login form Code: [Select] <?php if (isset($_REQUEST['pass'])) { $id=$_POST['id']; $pass=$_POST['pass']; $conn =mysql_connect("localhost","root",""); if (!$conn) { die('Could not connect: ' . mysql_error()); } /* checking connection....success! */ $e=mysql_select_db('test', $conn); if(!$e) { die(''.mysql_error()); } else { echo 'database selected successfully'; } if (isset($_REQUEST['id']) || (isset($_REQUEST['pass']))) { if($_REQUEST['id'] == "" || $_REQUEST['pass']=="") { echo "login fields cannot be empty"; } else { $sql=mysql_query("Select email,password from login where email='$id' AND password='$pass'"); $count=mysql_num_rows($sql); if($count==1) /* $count checks if username and password are in same row */ { session_start(); $_SESSION['id']=$id; echo "</br>Login Successful</br>"; } else { echo "</br>invalid</br>"; echo "please try to login again</br>"; } } } } ?> Any help or suggestion would be appreciated in this page http://maximaart.com/newscp/ i have this problem Code: [Select] Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at /home/maximasy/public_html/newscp/index.php:1) in /home/maximasy/public_html/newscp/index.php on line 2 my source code is <?php session_start(); include_once("config.php"); include_once("functions.php"); $errorMessage = ''; if (isset($_POST['txtUserId']) && isset($_POST['txtPassword'])) { if ($_POST['txtUserId'] === "$user" && $_POST['txtPassword'] === "$pass") { // the user id and password match, $_SESSION['basic_is_logged_in'] = true; require("main.php"); exit;?> I am having trouble resolving an error. Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at /home/s519970/public_html/header.php:27) in /home/s519970/public_html/admin/login.php on line 2 What I can gather is I can't use "header (Location: 'admin.php')" after i've used session_start(). I have tried to replace the header (Location: 'admin.php') with this: echo "<script>document.location.href='admin.php'</script>"; echo "<script>'Content-type: application/octet-stream'</script>"; I've been trying to read up on solutions but haven't been able to get it sorted. If anyone can offer some advice that would be greatly appreciated as im new to php. Code: [Select] <?php session_start(); if(isset($_SESSION['user'])) echo "<script>document.location.href='admin.php'</script>"; echo "<script>'Content-type: application/octet-stream'</script>"; ?> <div id="loginform"> <form action="dologin.php" method="post"> <table> <tr> <td><span>Username:</span></td> <td><input type="text" name="username" /></td> </tr> <tr> <td><span>Password:</span></td> <td><input type="password" name="password" /></td> </tr> <tr> <td colspan="2" align="right"><input type="submit" name="login" value="Login" /></td> </tr> </table> </form> </div> I have tried using require_once('yourpage.php'); before my <head></head> tags in the header document where I've specified the html information but this doesn't seem to work. I've been advised to use ob_start("ob_gzhandler"); but I am not sure how to implement this. Any advice is greatly appreciated! hi everyone. i'm wondering what the best way is to create a session variable and pass it to an iframe. i need to do something along these lines, but it doesn't seem to pass the ID. Any hints on how i should accomplish this? Code: [Select] session_start(); $_SESSION['ID']=$_GET['ID']; // id from previous page $ID=session_id(); <iframe src="iframepage.php?ID=<?php echo $ID; ?>" style="width:680px; height:200px;" noresize="noresize" frameborder="0" border="0" scrolling="Yes" allowtransparency="true" /> </iframe> I'm making a simple login system with MySQL and PHP (very simple, I'm just starting with PHP). The MySQL portion is done, but I need to ensure only people who are logged in can see certain content. To check if people are logged in, my website checks that they have the $_SESSION['user'] variable set. If it is set, then it lets them continue through the website, if not, it tells them to login. Is that enough security, or can people simply inject a session cookie into their browser to spoof that they are logged in? My idea was to generate a session key cookie when they login (just a random string of letters and numbers) and store that in the database, then on every page, check to make sure their session key is the same thing that's in the database. Is this necessary? It seems expensive. Evening! I've been iffing and ahhing over this and well im not too sure, hence the post. Code: [Select] // Redirects if there is no session id selected and echos the error on the previous page if(!isset($_GET['get']) || ($_GET['getget'])){ header("Location: #.php?error"); } So it should simply check if get is set if it isnt then see if getget is set? If not redirect and show the error. Now ive tried it and even when get/getget is set it still redirects, probably something silly. Care to share anyone? Harry. Just curious how other people feel about this. I am working on an application where a lot of info is pulled from MySQL and needed on multiple pages.
Would it make more sense to...
1. Pull all data ONCE and store it in SESSION variables to use on other pages
2. Pull the data from the database on each new page that needs it
I assume the preferred method is #1, but maybe there is some downside to using SESSION variables "too much"?
Side question that's kind of related: As far as URLs, is it preferable to have data stored in them (i.e. domain.com/somepage.php?somedata=something&otherdata=thisdata) or use SESSION variables to store that data so the URLs can stay general/clean (i.e. domain.com/somepage.php)?
Both are probably loaded questions but any possible insight would be appreciated.
Thanks!
Greg
Edited by galvin, 04 November 2014 - 10:30 AM. Hi there, I'm in serious need to find a way to block people from a website I code for. The thing is, we have a jailing system, nice and simple, and IP/email ban system too. But with proxies, advertisers and repeated troublemakers keep coming back because we just get the new proxy IP each time and it's a losing battle. What I need is a way to ban them properly from the site, like somehow stopping the computer they use from accesing the site. someone once said you can use a cookie to stop a browser getting on the site, but I don't know how to set it up to give the cookies out upon login and find the one associated to an account we don't want (by "cookie" banning I guess?") and stop them from logging in. hi php freaks I am using pdo as the driver for my new app the issue is I can't seem to find a clear answer. I want to sanise the vars that are coming into the database but pdo is suppose to fix all the issues. Is this true what other things do I need to watch for when using pdo they must have some flaws. Thanks Hi, I am currently working on an Invoice System using PHP and MySQL. However I was just wondering if the system I am using is secure enough. The Client gets a link like this: Code: [Select] mysite.com/?customerid=b3e470c55aad30eb38ee52eec1d8cb52 Each client has a unique "id" I also have an ID for the administrative back-end. I do clean the GET variable before querying the database though. Do I need to secure this with anything else or is this enough, as this is my first time creating anything with PHP and MySQL together. Thanks, mme |