0

What is a secure way to store and retrieve session data in a Web site? Before realizing why it would not work, I for a good while believed the following approach would:

  1. Store everything in session variables whose name is a randomly generated string:

    // This will be the name of the session variable.
$id = uniqid();

// $my_complex_object contains sensitive information
// I don't want to transmit over the network.
$_SESSION[$id] = $my_complex_object;

  2. Send those randomly generated string to my users.

  3. On the client side, send requests to my server using those randomly generated strings as POST parameters.

But then I realized this is only as secure as PHP's session ID cookie (or that of whatever language/framework you happen to be using), which, I guess, is sent through the tubes as plain text. Together, the session ID and the randomly generated $id are everything an attacker needs to access $my_complex_object. And they are both available for free to the attacker.

So, could anybody tell me an approach that actually works? Maybe there is a secure way to set cookies.

NOTE: I did not set the PHP tag because it is only incidental that I am using PHP. If you want to give me an example in whatever happens to be your favorite language/framework, please feel free to do so.

EDIT: It seems like my original question was not clear enough.

Let us suppose we want to generate a HTML table each of whose rows corresponds to a product and will contain a hyperlink to a "More information about this product" page. Thus, I would do the following:

  1. In table.php, I would generate a table with N rows. For each row, I would generate a session variable containing information about the corresponding product. Somewhere in my HTTP response's body, I would also send the names of said session variables.

  2. When the user requests more information about a particular product, he sends a POST request to more_info.php, one of whose parameters is the name of the corresponding session variable.

So, while in my HTTP headers I am only sending the session ID cookie, in my HTTP bodies, I am sending the keys to lots of information. Any attacker who took the time to analyze the structure of my HTTP headers and bodies could completely hijack my users' sensitive information.

rook
  • 66,304
  • 38
  • 162
  • 239
isekaijin
  • 19,076
  • 18
  • 85
  • 153
  • I have no idea why you would send variable names in the response. This must be a scripting thing. – John Saunders Jan 30 '11 at 02:35
  • So the client can use them as parameters to construct further requests? – isekaijin Jan 30 '11 at 02:36
  • Don't use variable names for that. Create a set of parameters for the client to use. The parameters used should have nothing to do with the names of variables in your code. – John Saunders Jan 30 '11 at 06:43
  • Even if I use a set of parameters whose names are different than session variables, the Web server must be able to relate those parameters to the session variables. In a sense, those parameters are an "API" for reading/manipulating those session variables (or expressions based on those session variables). But never mind, turns out what I meant to ask was [this](http://stackoverflow.com/questions/22880/what-is-the-best-way-to-prevent-session-hijacking), which means every single exchange of sensitive information must be performed using SSL. – isekaijin Jan 30 '11 at 16:51

1 Answers1

0

As an example, ASP.NET session state never sends anything to the client except for the cookie holding the session ID. There is no way for the client to access Session variables, which are stored purely on the server.

John Saunders
  • 160,644
  • 26
  • 247
  • 397