Solved

Securing Php Sessions Without Relying on Cookies

Posted on 2004-04-06
3
497 Views
Last Modified: 2011-09-20
Hi,

I am fairly new at php programming so please bear this in mind!

I have created a website in php that uses standard session code that if cookies are not enabled tags the session to the url. The problem that this presents is that if a logged in user sends the url to another user - with the tagged session attached to the url, the new user will have access to the users session  - and therefore be able to access the users profile etc. The only way I can fix this is stopping the session being carried in the url.  Users therefore have to have cookies enabled to use the site (login) - not entirely desirable.

Is there a secure way to pass the session data between pages without running the risk of users giving away their session data.

Thanks

JKNA_Chaps
0
Comment
Question by:JKNA_Chaps
  • 3
3 Comments
 
LVL 27

Accepted Solution

by:
Asta Cu earned 125 total points
ID: 10765565
Have you searched our database here in the PHP Topic Area specifically to see if this has already been solved?

Does this, rather interesting,  workaround to session cookies help you at all?

The following describes the easiest way I have found to force users to log into an ASP.NET website for each session but not require them to accept cookies. You must do the following things.

Create a Web.config file with the appropriate entries to allow session state management.
Create a well formed Global.asax file with the code below included in it.
Create a login page to authenticate users against a database or whatever method you desire.
More here.
http://www.codeproject.com/aspnet/NoCookieSessionLogin.asp

----

Session cookies are deleted when browser is closed, but while in session, the problem you see if left logged in.

----

I also found the following article enlightening in researching your question, and hope it adds value for you as well:
Note: Session handling was added in PHP 4.0.

Sessions and security and much more here:
http://www.phpfreaks.com/phpmanual/page/ref.session.html
0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 10765577
Meant to include this synopsis from the above link....  Session support is enabled in PHP by default. If you would not like to build your PHP with session support, you should specify the --disable-session option to configure.

0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 10774623
Thank you, I'm pleased to have been of some help to you.  Hopefully the next time we meet, I can provide you with what you deem to be "A" level support.
":0)
Asta
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

How many times have you been browsing the internet, with multiple tabs open, and closed the wrong one? Have you ever clicked 'Close all tabs' instead of 'Close current tab' ? Internet Explorer 8 now brings to you, what Firefox has had for a wh…
#Citrix #Internet Explorer #Enterprise Mode #IE 11 #IE 8
This Micro Tutorial will demonstrate how nuggets on the Web are formatted by using Chrome Developer Tools. These tools would not only view the site's CSS but it can also modify it and save the CSS to use on your own site.
Shows how to create a shortcut to site-search Experts Exchange using Google in the Chrome browser. This eliminates the need to type out site:experts-exchange.com whenever you want to search the site. Launch the Search Engine Menu: In chrome, via you…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now