hieronymus — 2012-05-07T06:04:17-04:00 — #1
I've have website on which you can monitor units. Their status gets updates via ajax requests every 30s. After a while (about 2,5 ~ 3 hours) they get a null result . The CMS (cakephp) doesn't apear to timeout the session or something (which would be weird since making the ajax requests should keep it alive anyway) because navigating to another page after the failures doesn't prompt for a new login.
My guess is that it has something to do with the server configuration. I have no idea where to look for this.
I have a server with CentOS and Apache2.2.8 with PHP 5.2.1 and MySQL
I'm running two tests at the moment to count the succesfull request before failure (and the time)
Hope you can help, because I like to put up this status view 24/7 on a big screen.
hieronymus — 2012-05-07T09:37:29-04:00 — #2
OK, this is annoying.
One test failed at 475 requests (almost 4 hours) (one request every 30sec.)
The second test failed at 447 requests (3,7 hours)
Both users were logged out (had to login again if I switched pages after the failed requests)
I thought it might have something to do with
Max Requests Per Child: 4000 - Keep Alive: off - Max Per Connection: 100
Timeouts Connection: 120 - Keep-Alive: 15
but now I'm not sure. Are there any server settings that could kill sessions?
dklynn — 2012-05-07T17:57:52-04:00 — #3
It appears that you've correctly created your script to perform the required action - but it fails after a significant time. To me, that implies (with your login comment) that you are not specifying a time for your SESSION to keep alive (set it for one year).
As for the server issues, it may be that you are making too many requests and not terminating the script on the server which is providing the updates to the display script. I would guess that you need to close the database connection and use an end(); statement to ensure that the child opened for the series of AJAX requests are released.
hieronymus — 2012-05-10T04:57:26-04:00 — #4
I've found the problem... somehow cakephp does sets a few php.ini settings, even if you configure it to use your php.ini settings. That way the default value of cookieTimeout (=0, 'on browser close') got set to 240*60, which is the 4 hours I found testing. When the cookie dies, the session dies.
Now, for a quick fix, I've added a CakeSession::renew() to the function that responds to the ajax request. This works. But a better way would be to fix the thing in cakephp itself.
Are there any concequences of keeping the session alive with regard to server performance?sessions now last for as long as users use this auto-update function + the 4 hours of the normal session...
dklynn — 2012-05-10T06:44:39-04:00 — #5
The consequences are known as Session Hijacking, i.e., someone could see the session data go by their router (or wi-fi) and capture the session data to gain access. A relatively short (shorter than 4 hours, indeed!) lifespan for the session data (refreshed as new requests are made, of course) would be in order.
serverstorm — 2012-05-11T11:43:06-04:00 — #6
Chris Shiflett (a security expert) has a good article here on the dangers and approach to generate a token to protect the session so that longer session times are possible. You can find this article here: http://shiflett.org/articles/session-hijacking
dklynn — 2012-05-11T19:43:33-04:00 — #7
Thanks for that link! To carry one step further, there had been an article online (I don't remember where) about using a lot of the information provided by a browser to help "fingerprint" even further than Shiflett suggests - a little bit of paranoia can go a long way toward security!
As a CEH (Certified Ethical Hacker), I'm aware of the techniques to hack into systems (in order to defeat them, of course) so spreading this knowledge about how to protect a system is important. THANK YOU for helping!
serverstorm — 2012-05-11T21:55:23-04:00 — #8
Very neat the CEH that is... a valuable service you provide indeed! I am very interested in that article that takes the technique further, so if I find it I'll add it to this thread. Of note I also regenerate the session_id everytime a user performs an important operation like logging in, changing profile info, accessing messages and downloading secure data. Any further insights or points to resources are very appreciated as I try to keep my code base up to a very high security standard, but not being dedicated to this on an everyday basis, It sounds like there are modern techniques that I am not maybe doing?
dklynn — 2012-05-12T08:25:27-04:00 — #9
Frankly, the things that the CEH course taught scared the **** out of me! Hackers can use the weirdest things to break into systems just about anywhere. Have a look at http://www.backtrack-linux.org as the collection of "tools" is in one package (without instructions for obvious reasons).
WinFingerprint (http://winfingerprint.sourceforge.net) can gather information about your computer (Date & Time, Disks, Event Log, Groups, NetBIOS Shares, Network Type, Null IPC$ Session, ICMP ping, Input Type, Patch Level, RPC Bindings, SNMP, Services, Sessions, TCP SYN Port scan, Traceroute, MAC Address, UDP Port scan, Users and Win32 OS Version).
Other tools like Panopticlick (https://panopticlick.eff.org/) can gather browser information (including add-ons), thus, it is perfectly suited to validate SESSION submissions. My browser rendered:
[indent]Your browser fingerprint appears to be unique among the 2,188,882 tested so far.
Currently, we estimate that your browser has a fingerprint that conveys at least 21.06 bits of identifying information.
It includes specifics about User Agent, HTTP_ACCEPT Headers, Browser Plugin Details, Time Zone, Screen Size and Color Depth, System Fonts, Are Cookies Enabled? and Limited supercookie test. If that's not enough information to verify a SESSION, I don't know what would be! Okay, it's gross overkill but it works to isolate my computer (browser).
See their paper at https://panopticlick.eff.org/browser-uniqueness.pdf.[/indent]
Take a look at PanOptiClick's links as there is a wealth of information there!
Pick and choose from the array of information to create a salt for a hash and you'll be able to identify a computer pretty easily - or verify the identity of a SESSION owner.
serverstorm — 2012-05-12T12:04:49-04:00 — #10
That is awesome information, and yes it is a little scary; however we need to know this stuff so that we can best protect our users. I'm going take some time working with these tools to see how I need to better secure applications.
Thanks that rocked!
dklynn — 2012-05-12T21:38:22-04:00 — #11
In case you missed the PC World article ([Browser Fingerprints: A Big Privacy Threat) and the Electronic Frontier Foundation's article ([URL="https://www.eff.org/deeplinks/2009/09/online-trackers-and-social-networks"]How Online Tracking Companies Know Most of What You Do Online (and What Social Networks Are Doing to Help Them)](http://www.pcworld.com/article/192648/browser_fingerprints_a_big_privacy_threat.html)).
As I'm no longer on staff, do you believe this portion of the thread should be copied into a new thread elsewhere? I believe that it is very important to share this knowledge with others as there are privacy as well as security concerns which members should be aware of.
serverstorm — 2012-05-13T09:25:30-04:00 — #12
Thank you for another imformative link. I have addressed this with the staff as I also believe that it is an important topic.
dklynn — 2012-05-13T18:30:46-04:00 — #13
No worries, I found the "new" Web Security board.
serverstorm — 2012-05-13T18:58:23-04:00 — #14
Yes... one of the Advisors featured this thread (We felt it was best to give the OP a chance to reply to our posting before moving this) and I asked if there was a way to cull your information from this post and keep it in a more permanent way. The book is still out on this.
Glad you found the Security board!
sg707 — 2012-05-18T09:18:50-04:00 — #15
I have not done this but if it's for "monitoring" then I'd think about using 2 way SSL authentication using CA.
Then you don't have to worry about hijack session and you never have to "login" to renew the session either. Again..haven't done this on a browser side..I've done this for Web Service.