# Solved: Secure sessions in PHP



## TheRobatron (Oct 25, 2007)

I'm trying to incorperate sessions into an admin section of my site but I'm a bit confused about how to actually authenticate a user as they go to each page. I have looked at quite a few tutorials but they don't seem to explain it. I've heard that you shouldn't store the username and password in session variables and you should store a session ID instead. Where is the session ID stored server-side, how is it created, and how is it cleared when the session expires?

I'd be grateful for any help.


----------



## TheRobatron (Oct 25, 2007)

Bump. Has nobody here worked with secure sessions?


----------



## brendandonhu (Jul 8, 2002)

You can store the username and password in session variables, just not in a cookie. The session ID is stored in a cookie (usually.) This is secure, assuming your server or webhost is setup properly.

Typically, you would authenticate the user, then just store a session variable like $logged_in = true; or $user_id = 5;.


----------



## Mudley (Apr 7, 2008)

i've never worked with sessions at all.
my site is too big for sessions


----------



## TheRobatron (Oct 25, 2007)

Thanks for your replies. Would I store the session ID in the MySQL database with the login details, or somewhere else so it knows who is logged in?


----------



## Big-K (Nov 22, 2003)

http://us3.php.net/manual/en/function.session-id.php


----------



## brendandonhu (Jul 8, 2002)

Session IDs are typically saved in a temp file (session.save_path in php.ini.) There are also 3rd-party session management implementations that use MySQL if you prefer.


----------



## TheRobatron (Oct 25, 2007)

So can I just store the session ID in the members database, and use session_id() to find the ID and logon the user? Would this be insecure because of the stored session ID, or would that method work?


----------



## brendandonhu (Jul 8, 2002)

The session ID is stored by PHP. You can store the user's ID in a session variable, like $_SESSION['user_id'].


----------



## TheRobatron (Oct 25, 2007)

So to authenticate someone would I store the username and password in session variables? I'm reading a book on website security and it says not to do that...


----------



## brendandonhu (Jul 8, 2002)

You don't need store both, just authenticate the user and then store the username in a session variable.


----------



## TheRobatron (Oct 25, 2007)

Sorry if I sound picky, but doesn't that make session hijacking really easy? The username is a known variable, so all someone would need to do is create a fake session with the username session variable.


----------



## brendandonhu (Jul 8, 2002)

Session variables are stored on the server. The user can't set/change them.


----------



## TheRobatron (Oct 25, 2007)

I get it now  Thanks for all your help!


----------



## brendandonhu (Jul 8, 2002)

[tsg=yourewelcome]yourewelcome[/tsg]


----------



## blixster (May 31, 2008)

As a quick note, it is generally unwise to store a password in a session because someone may be able to view the session data if you are on a shared server.

Personally, I would even md5 the username because often users do not change passwords from site to site. You want to avoid falling victim to security holes in other websites as much as possible.


----------



## TheRobatron (Oct 25, 2007)

Would this still apply if I'm on a dedicated IP?


----------



## blixster (May 31, 2008)

A dedicated IP is different from a dedicated server. On a dedicated server it would only be a problem from whatever other websites you have running on the server. For example if you create a security hole on one website that allows someone to run malicious script - they could still browse all the sessions.

By dedicated IP if you mean you have an account through your ISP and run a local server that probably pretty safe. (Which would mean you also have a dedicated server.) If it is 10 IP's pointing to one server - they still all likely share a session cache.

And a dedicated server - is absolutely the most secure way to go with sessions...


----------

