Solved

php login - should i delete the previous session and regenerating session id

Posted on 2014-11-15
14
216 Views
Last Modified: 2014-11-23
Hi

On php login pages is it good practice to delete the previous session in case the user didn't log out properly or is this overkill?

I also read this in the manual comments about session id

Also its always good to ensure every valid session is checked against an ip. One good method is to store the session id and remote ip information in a table, or better store the ip as a session variable itself, once the user logs in and ensure that this is continued for remaining pages for security. This ofcourse wont work when users use the same office or shared network as the ip to the outside world is the same.

Open in new window


I've seen people check the session id as an authenticatiob method (if(!isset($_SESSION['id']))) but id rather not  check the session_id as this doesnt seem secure because of hijacking/fixation. Is it ok to regenerate the session_id on every other  page?

session_start();
session_regenerate_id();

As far as i am aware i dont need to use the session id for anything , or is there something I have overlooked and do need it?In essence I'm checking I'm not losing my session id when i might need it later

many thank
0
Comment
Question by:andieje
  • 5
  • 5
  • 4
14 Comments
 
LVL 82

Accepted Solution

by:
Dave Baldwin earned 250 total points
ID: 40444709
No, it really doesn't work that way.  You probably should read http://php.net/manual/en/book.session.php to see how PHP sessions work.  The two most important functions are session_start and session_destroy.

The session id is in the session cookie that is set.  session_start() checks to see if there is a cookie with a current session with that id.  If there is not, it creates a new unique session id and sets a session cookie with that id.  It is important that session_start() be at the top of each and every PHP page that is going to be used in the session.  That id is used to find any $_SESSION variables that you might have set.

Also note that session id's are set in 'session cookies'.  'session cookies' expire when the browser is completely closed so the next time your client opens their browser and goes to your page, they get a new session id.  Also, sessions do have an in-activity timeout of 24 minutes / 1440 seconds.  After that they are subject to being expired the next time that PHP does 'garbage collection' on the server.
0
 

Author Comment

by:andieje
ID: 40444836
I have read the manual but some of the code I am seeing isnt doing what i expect.


If you create a session cookie (session-set-cookie-params) , call session_start , set some session variables, (and then load the page) how does php respond if you delete the cookie and refresh the page? It seems to start a new session and you can't access your previous session variables.

I would expect this

However if i then add the cookie back manually that I deleted I can get to the previous session variables. So even though php started a new session because there was no session cookie, it didnt destroy or clear out the previous session array. Hence why i thought you should clear out and delete the previous session. I know you would need the previous id to access them but they're still hogging up memory and it still feels vulnerable that they are hanging around like that
0
 
LVL 108

Expert Comment

by:Ray Paseur
ID: 40444899
This article gives an explanation of the design pattern.
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_2391-PHP-login-logout-and-easy-access-control.html

To have a complete understanding of the process you may want to brush up on the details of HTTP Client/Server behaviors.
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/A_11271-Understanding-Client-Server-Protocols-and-Web-Applications.html

And if you have any questions about PHP sessions, you'll be glad to know they are simpler than many may think.
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_11909-PHP-Sessions-Simpler-Than-You-May-Think.html
0
 
LVL 82

Expert Comment

by:Dave Baldwin
ID: 40444935
You're seeing exactly what you should be expecting.  In between changing cookies, there was Nothing done to destroy the session... so why wouldn't it be there?  The session time-out is for 24 minutes of No activity meaning none of the pages with session_start were accessed for 24 minutes... plus, the 'garbage collection' is not done with every access.  In order to keep the load down on the server, it is done on a 'probability' basis and maybe once in every 100 or 1000 page requests.  

The session time-out is Not to create a 'logout' but to clean up the server when there is no activity.  If you want to set a real limit on the time-out, you have to do that in your own code.

For 'logouts', read the page on session_destroy.  There are multiple steps to get that to work right.  On my pages, I start a new session AFTER destroying the old one and it's data to make sure the person is 'logged out' and no longer able to get the data from the previous session.  This is very useful in a shopping cart to make sure the prevous order data is no longer in the cart.
0
 
LVL 108

Assisted Solution

by:Ray Paseur
Ray Paseur earned 250 total points
ID: 40444980
Also its always good to ensure every valid session is checked against an ip. One good method is to store the session id and remote ip information in a table, or better store the ip as a session variable itself, once the user logs in and ensure that this is continued for remaining pages for security. This of course wont work when users use the same office or shared network as the ip to the outside world is the same.
Right about the "won't work" part, at least.  I would avoid a check like that since its false positives will make your web site fail and you'll find yourself explaining technical details to angry users who really don't want to hear about the details -- they just want the site to work.   Once you truly understand PHP sessions, you'll be able to rest easy.
0
 

Author Comment

by:andieje
ID: 40451138
If you think i should ignore the ip check i wil but you can still get orphan sessions with php data and no key wasting memory if users dont log out. Or perhaps they will be logged in as someone else with higher priviledges

Ive read the docs and believe i understatnd how they work.  I  aslo read your link

2. PHP looks to see if a session cookie is associated with the request. If a cookie is found, PHP attempts to load the preexisting session data into the $_SESSION array.  The data may be present or it may have been deleted by the GC.  To the extent that the session data is found, it is loaded into the superglobal $_SESSION array.  If no cookie is found, obviously no session data can be found, and no action will occur at this point.

ok but last example did just show that orphan cookie data just sits there using up valuable resources.
thanks
0
 
LVL 82

Assisted Solution

by:Dave Baldwin
Dave Baldwin earned 250 total points
ID: 40451288
I must have a dozen sites at the moment that use sessions and session cookies.  'orphan' sessions and cookies have never been a problem because they always get cleaned up.  A PHP session cookie takes up less than 1KB and that's not a problem on any recent hard drive, even a 'small' 80GB drive.
If no cookie is found, obviously no session data can be found, and no action will occur at this point.
That's not true.  A new session will be started.  That is the purpose of putting 'session_start()' at the top of all the pages.
if users dont log out
PHP garbage collection is not based on 'logging out'.  Either a 'session_destroy()' statement or an inactivity timeout will remove the old session data.

You're talking like this is a big problem when it is not.  Ray and I do this stuff for many sites everyday.  There are details that do need to be taken care of but it's not that difficult.  Everything you need to know is in the Sessions pages on 'php.net'.  Look there first.  http://php.net/manual/en/book.session.php
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 108

Expert Comment

by:Ray Paseur
ID: 40451397
Exactly what Dave Baldwin said!  It's easy to overthink this stuff.  The authors of PHP have done a lot of the design and thinking for us.
0
 

Author Comment

by:andieje
ID: 40453482
Hi

Isnt this a contradiction?

ID: 40451288;

That's not true.  A new session will be started.  That is the purpose of putting 'session_start()' at the top of all the pages.

I quoted the what you said wasn't true from the article
0
 
LVL 82

Expert Comment

by:Dave Baldwin
ID: 40453504
No, that's the way it is supposed to work.  'session_start()' will either resume a currently existing session or create a new one.  It will not do 'nothing'.
0
 
LVL 108

Assisted Solution

by:Ray Paseur
Ray Paseur earned 250 total points
ID: 40454059
You might want to go back and read the linked articles carefully, for understanding.  There are a lot of moving parts to the things you're asking about (people get PhD's for designing these systems) and it takes a year or two of college to understand all the details.  Obviously we can't give you that depth of understanding in an answer to a question, but the articles try to hit all the important points.  If there is anything you did not understand in these articles please post back and I'll try to clarify the articles as well as explain the design patterns behind the complex interactions described in the articles and the technologies.

This answer has the links to the articles:
http://www.experts-exchange.com/Programming/Languages/Scripting/PHP/Q_28562767.html#a40444899
0
 

Author Comment

by:andieje
ID: 40460505
ive got a phd and its not all that intuitive! But im a java programmer so its bound to confuse me

I have double checked your article and it makes perfect sense but it does say "no action will occur" when a session will start

But i think that was a bit of unncessary pedantry dont you! (from me i mean)
0
 

Author Closing Comment

by:andieje
ID: 40460508
excellent
0
 
LVL 82

Expert Comment

by:Dave Baldwin
ID: 40460883
You're welcome, glad to help.
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Generating table dynamically is the most common issue faced by php developers.... So it seems there is a need of an article that explains the basic concept of generating tables dynamically. It just requires a basic knowledge of html and little maths…
Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
The viewer will learn how to count occurrences of each item in an array.
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now