This is in response to the discussion about secure sessions in this thread: http://www.sitepoint.com/forums/showthread.php?1171539-php-querry-is-stoping-form-post-data-from-sending-and-redirection-problem&p=5579104#post5579104
First of all, session security is a large topic and can not be fully addressed in one thread.
I am going to discuss user authentication and the bare minimum needed for secure session management. My intent is to show new developers a few pointers that I’ve picked up along the way. This is just a starting point for folks to work off of. From here you should use the best tool in a developers tool box, Google!
As a general rule, sensitive user data should never be stored in a session or cookie. My current method is to create a random hashed value that can be stored in a cookie AND in the user’s information contained in the database. You can then validate that both the value in the cookie and in the users database entry match. If so, then you can create a user object that contains sensitive user data, which is then disposed of after script execution.
If the values do not match, you can then prompt the user to login. The sign in process will generate the random hashed value, store it in the cookie and in the user’s database entry.
Once the user logs out you can then destroy the cookie and remove the value from the user’s database entry.
I’m going to use code from a real world application for examples. This will allow you to see it in action, and this will cut down on the length of this post.
Create Random Hashed Value
First I need to create my random salt, which will make the hashed value unique on every page load: https://gist.github.com/jburns131/7014486
Login User
Now we’ll address the user login. This is in the ‘loginAttempt’ method: https://gist.github.com/jburns131/7014456
- I then check input from the login form for errors
- I then check to see if they have entered a valid password
[LIST] - The password has been hashed using the crypt function, so I need to use crypt to validate it
[/LIST]
- If the password check is valid I then add my random hashed value to the database column for this user, then create a cookie containing the random hashed value.
[LIST] - Since I can have multiple installations using the same code I need to have a unique cookie name for each domain/subdomain, so that’s what I do while setting up $cookieName
[/LIST]
Verify User is Logged In, Setup CurrentUser Object
On page load we need to see if the user is logged in. We do that in the CurrentUser constructor: https://gist.github.com/jburns131/7014509
- We check if the cookie exists
- Then we check to see if the value in the cookie matches the value in the users database info
- If the values match then setup the CurrentUser object by adding useful sensitive data to object properties. If it doesn’t then do nothing and return false
Using the CurrentUser Object
Now you can instantiate the CurrentUser object, and if the current user is logged in then you can access the sensitive data as needed:
$currentUser = new CurrentUser($session);
$currentUser->isLoggedIn(); // Can be used to validate whether the current user is logged in or not
$currentUser->getId();
$currentUser->displayName();
Log Out User
Now we need to remove traces of the random hashed value. This is done in the ‘logoutAttempt’ method: https://gist.github.com/jburns131/7014415
- First we start the session so we can destroy it later on
- Then we update the database entry with an empty string to remove the random hashed value from the database
- We then destroy the session
- We then destroy the cookie by giving it a date from the past
This example is not exhaustive by any means, but it’s a good starting point to move forward on.
You will want to do a few google searches. I’d look for “php secure user authentication”, “php session security” or maybe “php secure login”.
OWASP is also a great resource regarding web application security, and has a few good pages regarding user authentication and session security:
https://www.owasp.org/index.php/Authentication_Cheat_Sheet
https://www.owasp.org/index.php/Session_Management_Cheat_Sheet
https://www.owasp.org/index.php/Testing_for_Session_Management
If anyone has any feedback please let me know. I am still on this journey, so any helpful constructive criticism is welcome.
I hope this post will help give a little boost to those unfamiliar with the subject and point them down the path to enlightenment (and more secure apps) :-p
