Server side variables

Puno · #1 (**permalink**) 03-30-04, 04:21 PM

I have been going through the documentation and still not found what I am looking for.
Are there any kind of variables I can have stay on the server side with PHP?

Session variables seem to be more of a cookie implementation than anything else.
I need to control the navigation of the user and that information must never leave the server.

and as I understand the session variables are shipped with the headers and passed to the page.... and then back to the server, which does not suit me at all.
Please tell/prove me I am wrong or guide me in right direction...

Please help.
Puno

Mud · #2 (**permalink**) 03-30-04, 06:35 PM

mysql databases?

NeverMind · #3 (**permalink**) 03-31-04, 08:08 AM

sessions are saved in the server side, while cookies are saved in the client side ..
session are difficult to hack or edit ..

anyway, if you can tell us what do you want to do we may be able to help you more !

Puno · #4 (**permalink**) 03-31-04, 11:28 AM

mmm 17th day of work in a row, 20 hours a day
goodie =)

Gotta love deadlines when documentation is not provided in time...
Guess we have all been through some of that.

Back to business after a little nap:

Will be more specific this time.
I am doing:
Web site for data registration which must be secure.
Data storage is on mySQL
OS is LINUX
App server is Apache Tomcat
SSL installed for domain
Dev languages: PHP, JS and HTML
I do NOT have the server for this project, just renting space =(
I need:
To control access to different pages based on navigation flow and user's login privileges.
I was thinking:
Server side variables to keep login, privilege level, current page, and page requested.
DB table for navigation options per user/privileges.
Have a "navigator.php" summoned before every page to control navigation, access and even slight customization of header and then "include generic_requested_page_3.php" from it, for example" thus my pages would not need be changed for each kind of user.
But:
It seems to me that $_SESSION variables are sent back and forth to user at each page submition, which violates our security effort.
Either I am wrong or I must find some way of keeping that info at home...
Please:
Explain other working implementations of this or how to accomodate this one to be secure.

Thanks a lot, hope this time I am more accurate.
Puno.

Why did I ever evolve from my Spectrum 48K BASIC programming?
=)

NeverMind · #5 (**permalink**) 03-31-04, 12:39 PM

no you can use session...
or if you are very concerned about it use cookies with SSL !

but almost all authincate systems uses sessions and a small function that checks the session contents !

define something called CheckUser() for example ! which will check the session !

PHP Code:


			
function CheckUser() {

$username = $_SESSION['username'];

$password = $_SESSION['password'];



//MYSQL CONNECTION HERE..



$check = mysql_query("SELECT id FROM members WHERE username='$username' AND password='$password'")or

die(mysql_error());



//if num of rows wasn't 1 then either he messed with sessions or changed his account info ..

  if (mysql_num_rows($check) !== 1) {

  //we delete the session vars and then close!

    unset($_SESSION['username']);

    unset($_SESSION['password']);



  //here I chose to terminate script but you can change to prompet user or bring the login form to him !

    die('You tried to miss with sessions !?');

  }

}

and then call this function all over your pages and no one can hurt you !

also you can make the function takes parameters to check the user privileges!
like this:

PHP Code:


			
//we give a default value for the level 

function is_privileged($level = 'normal') {



  if ($level == 'admin') {

    //DO CHECKING ON ADMIN ..

  } elseif ($level == 'moderator') {

    //DO CHECKING ON MODERATOR ..

  } elseif ($level == 'norma') {

    //NORMAL CHECKING!

  }



}

hope that helps ..

Puno · #6 (**permalink**) 04-01-04, 03:05 PM

OK, my point seems to be being missed or I am missing something.

Standard session control native to PHP is just swell for standard navigation control, but securitywise it is a JOKE as I understand it.

check the php manual and see what I mean:
\php_manual_en\ref.session.html

As it is even claimed there
"The session module cannot guarantee that the information you store in a session is only viewed by the user who created the session. You need to take additional measures to actively protect the integrity of the session, depending on the value associated with it.
Assess the importance of the data carried by your sessions and deploy additional protections -- this usually comes at a price, reduced convenience for the user. For example, if you want to protect users from simple social engineering tactics, you need to enable session.use_only_cookies. In that case, cookies must be enabled unconditionally on the user side, or sessions will not work.

There are several ways to leak an existing session id to third parties. A leaked session id enables the third party to access all resources which are associated with a specific id. First, URLs carrying session ids. If you link to an external site, the URL including the session id might be stored in the external site's referrer logs. Second, a more active attacker might listen to your network traffic. If it is not encrypted, session ids will flow in plain text over the network. The solution here is to implement SSL on your server and make it mandatory for users."

Yes, I know I use an SSL server, but while the channel is safe, the $_SESSION is stored at client NOT encrypted.

Because against what one would expect $_SESSION variables do not stay in memory at the server:
(documentation quote)
"This is either stored in a cookie on the user side or is propagated in the URL."

From this point on my question stands.
I am guessing my options are:
1. Go figure out how Mohawk works ( I undertand it is a session server plug in for Apache Tomcat, BTW is it free?).
2. There might be some way of overriding the starndard session behavior to something TRULY server side, if so, how?
3. Put up a page at beggining of web-app begging hackers to leave me alone :/
4. Keep a table in my DB for session handling with 2 sided public communication keys that I randomize after every comm-transfer, session IDs, and navigation info (where from, where to, ...) But this is a mess and while it makes it harder for hackers to access the data, it is breakable by design...
5. Some other options I may overlooked. Proly a bunch since I am a designer and programmer, not security guy by any means.

So please, I beg for guidance on this matter.

P.D.: Remeber the situation is server safe, channel safe, but client unsafe.

Thanks a lot in advance for your time and help.

jsjohnst · #7 (**permalink**) 04-02-04, 10:06 AM

If upmost security is an issue for you, if I were you I would write my own custom session handler for PHP. If you search on PHP.net you will find several examples to get you started. Ways you can make it more secure would be to do the following:

1.) Store the session in the DB instead of in the /tmp directory like it is by default.

2.) Send an extra cookie to the browser along with the session id cookie. Have this cookie be a decryption key. Then encrypt the saved session contents after you serialized them before inserting them into the database.

3.) Lock sessions to multiple values. Not only limit them based on IP and having the valid cookies, you might explore locking on user agent, etc. as well.

jsjohnst · #8 (**permalink**) 04-02-04, 10:09 AM

Also, your information is incorrect.

$_SESSION variables are NOT sent to the client in the HTTP headers under any circumstance (unless you write custom code to do it for some strange reason). The only thing which is sent is a session identifier which allows PHP to find the specific session in the /tmp directory. By default all session data is stored on the server HD.

NeverMind · #9 (**permalink**) 04-02-04, 10:30 AM

I don't know why you want all this extra security in your script , but if you only encrypt all your data in the session vars with one way crypting funciton it will be enough IMO, even if someone could open it he will see crypted data !!

Puno · #10 (**permalink**) 04-02-04, 11:11 AM

First of all, thank you all for your help.

"3.) Lock sessions to multiple values. Not only limit them based on IP and having the valid cookies, you might explore locking on user agent, etc. as well."
This is waaay over my head. If you could explain a bit more detailed or include some examples it would be most appreciated.

"$_SESSION variables are NOT sent to the client in the HTTP headers under any circumstance (unless you write custom code to do it for some strange reason). The only thing which is sent is a session identifier which allows PHP to find the specific session in the /tmp directory. By default all session data is stored on the server HD."
The quotes I dumped into the previous post are directly from PHP's last documentation. Are they wrong or unclearly stated then?
It would make me a happy camper to find out that the session vars are kept on server, my problem would be over at that time.

Team mate tells me supossedly only the session ID is propagated through header communication.

But... maybe the doc on the session vars is remaing there from before and now session data is a bit more secure?
Help!

Thanks again.