0

So, what I've learned from security while managing sessions is that the best practice is to save generated session id to client cookie and rest of data to save on server. So what's exactly happening with $_SESSION? At official PHP documents I've found only little description which is not saying anything.

Do I need to have session table created in my database on server, or does $_SESSION create some temporarely table and save there all the needed data? Problem is that I need to build good and reliable system with approx. 1000 users simultaneously logged to server, so I don't know how good is it to "let" $_SESSION do all the work.

And how does $_SESSION generate ID? Is it one ID for combination of IP and browser? I mean, that way it doesn't need to require permission of using cookies, but instead it (server) saves some ID for IP and browser, and this was client doesn't have ANY data for session or whatsoever. This is just my way of thinking how it might go, but I'm not sure how to do it and what's the proper way, so can you please help me?

Tommz
  • 3,393
  • 7
  • 32
  • 44
  • Try giving this a look it might help you understand a bit http://stackoverflow.com/questions/11155403/how-to-generate-a-unique-session-id-in-php – Rick Roy Oct 17 '13 at 15:37
  • The default mechanism for saving session data is in _files_ on the server, with the location specified by `session.save_path`. If you want to use any other storage method, you have to implement that yourself – see description of the function `session_set_save_handler` for more details. And no, the session id is not a “combination of IP and browser”, because that would be to easy to guess; it uses random number generators available on the system for that. – CBroe Oct 17 '13 at 15:38

2 Answers2

1

$_SESSION generates a random ID for each session, the ID is not linked to the IP or other client info such as user-agent.

  • PHP generates a cookie for the user, it contains the session ID.

  • The $_SESSION array is serialized and saved into a file on the server.

  • When a user connects with a PHP session cookie, the ID is checked and then the $_SESSION array can be de-serialized from the file.

From a security point of view, it's important to note that PHP won't validate a user based on IP or user-agent, so a user could steal another users cookie and session data. If you want this functionality then you can easily implement something, store a hash value in the session array and check it when the session is restored.

It's also possible to write your own sessions implementation, all you need to do is create a cookie with a unique ID, then as you mentioned - store the data in the database. I personally prefer to create my own UserSession class, it gives me complete control.

Drahcir
  • 11,772
  • 24
  • 86
  • 128
0

the thing about session is it is stored in the client side on its browser so if you are going to make 2 website and assigning 

 $_SESSION['logged']=1;//assign this in website 1 as value if logged
 $_SESSION['logged']=1;//assign this in website 2 as value if logged

you can still login in the both system did you also know that you can session hijack a facebook account using android app called faceniff if it doesnt have "https" its like disguising that you are the account holder by creating the same session name and value

what i do is when the user log in i assign an md5 hash as session value and insert it to the row of the user in the database then check if the database value is equal to the browser session so the database looks like this

id   username   password         session_code
1    imbatman   superman     12sd5%sda812312y34356 //note this md5 is only an example 
                                                  //but it looks like that but longer i think

and in log out i clear the database session and destroy the session

id   username   password         session_code
1    imbatman   superman

but im still new to php and still finding ways to apply more security in my website but for now this is what im doing to protect from penetration

Jose Samaniego
  • 110
  • 9