0

Storing session data in a database is a common approach and is broadly supported by major php frameworks (for reference see PdoSessionHandler in symfony2 and DatabaseSessionHandler in laravel).

The basic principle of such session handlers is to save session data in a database table while the session id is saved in one column and data in another one. When reading session data, the handler will run a database query reading the table row with the given session id, which was provided by users cookies.

According to another stackoverflow question, comparing strings in a database query can be vulnerable to timing attacks.

So, Is it possible to combine a timing attack and session hijacking to steal a session id used by another user? If so, then why isn't it considered by the major frameworks?

Community
  • 1
  • 1
Jeff
  • 452
  • 4
  • 9
  • 2
    I think the best place for this type of question is [Information Security](https://security.stackexchange.com/) – gp_sflover Apr 26 '17 at 13:18

1 Answers1

0

It is much harder, and questionable if timing attacks against the database layer are practical, but yes - it is possible.

However, that does NOT mean that (the default in PHP) file storage or cache stores like Redis are safe. It is natural that all kinds of storages (not limited to sessions) will try to be faster whenever possible, which is exactly what timing attacks exploit.

Just set short expiry times - as you should anyway - and don't worry about it. Timing attacks take time, while sessions are supposed to be short-lived.

Narf
  • 14,600
  • 3
  • 37
  • 66