Re: Session ?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I've read about passing the session id to a script and using that to opene
up the existing session file.  Is this something I could do in this case?
Or am I SOL?

     You can pass the session ID and reactivate the session that way,
sure.  Not pretty, and it does lead to security considerations, but it
would work.

Hi Daniel,

Your security consideration important for me and I really need to know what am I missing. Using your xs(cross-site) request and cookie based authentication with user-name and password has same level security problems. if you use tokens they can not reading or using by an other pages. Attacker must guess a random token(its difficult then guess passwords). if your browser hacked or your main page has bad js code. This is bigger problem then using xs request. they can get your password or session id.

I try to clarify my point of view for better discussion,
both servers can use same log-in database or enable to query each other.

after logged-in first.domain or a.first.domain
user has ability to call an other trusted server without password and user-name. when hit the page has XS button first.domain server will generate random key and random value and send in button code with secure protocol.(before send, you must check referrer and token for CSRF protection) detailed client info, secure key and value must store in session database for later security check.
(you need more 3 columns key value and expire-date)

sample button code in https://second.domain/need_to_see_without_user_input.php:

   	//after logged in your-first.domain

echo "<form action='https://second.domain/need_to_see_without_user_input.php' method='post' style='' >"; echo "<button id='button_1' class='button_1' type='submit' name='long_random_secure_xs_cookie_name' value='{$long_random_secure_xs_cookie_value}' style='' >";
		echo "run script 2 on second.domain" ;
	echo "</button>";
echo "</form>";

clicking that button same as write down password, user name and click submit. but easier and not less secure then password authentication.
key and value must be long and secure enough (not like unique-id).
second server side:
-check the name and value and expire date IP browser etc.
- if there is any valid session in first server then clear key and value don't touch server first.domain session data
- create new session on server second.domain width same user.
now same user has different valid session on both servers.

this method looks safe as password and user name authentication
just focus on sending secure key and value to the real client!!!
Of-course some old browsers has security holes
conditions:
 -old browsers like Firefox 5
-(not easy but possible; newer browsers with some dangerous add-ons )
 -not using tokens every page/form requests (after log-in first.domain)

after logged-in first.domain attacker can use this holes alter the referrer and can get secure key and value

there is a solution ;they cannot alter post data referrer(if browser not hacked) if you post back the token you will be quite safe.(check referrer and token)

I guess this is fit public users who use password authentication.
if you are company user or security guy You must use certificate authentication with VPN. There is no absolute security in theory. But we have to discus how will be improved. Because bad guys already doing that in opposite way.

Thanks,

Hakan Can.


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux