Session Security

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
I'm still a novice when it comes to session security issues. The
problems I'm trying to solve may be fairly common, but I haven't seen
examples of solutions in any of the books I've looked at.

I currently have a page called 'login.php' which requires the user to
provide a userid/password combination. If the user logs in successfully
(i.e., the supplied userid/password combination is in the mysql
database), the user is directed to a page called 'user_view.php'. This
page contains a form which allows the user to update certain data for
their account, such as email address and telephone extension.

The owners of the site would like me to modify the site in the following

1. If a user, who has logged in successfully, navigates to another web
site within the same browser session, and then attempts to use the Back
button to return to the 'user_view.php' page within the same session,
they will be redirected back to 'login.php' and required to log in again.

2. If the 'user_view.php' page remains static (i.e., no user
interaction) for a fixed number of minutes (to be determined), the user
is also redirected back to the login page.

In both cases, the purpose is to guard against situations where there
may be multiple users on the same computer within the same browser session.

However, I've tested problem #1 with the web page for my credit union's
web site, and they don't seem to have addressed this issue. With my
credit union, if I log in successfully to my account information, I can
still browse to other web sites and then use the Back button to return
to my 'secure' account information. So I don't know how easy/hard it is
to solve problem #1.

I have a basic understanding of how to set session variables or cookies
when a user hits a particular page. However, I'm not clear on how I
would unset these variables or cookies if the user leaves the site
within the current browser session. I don't know if this is a common
problem or not.

Is there a way to set a cookie containing a value such as 'user_logged',
which expires when the user leaves the page? Can anyone point me to some
examples that address these issues?

Re: Session Security

Quoted text here. Click to load it


  < and
might be the good start.

 |  Just another PHP saint  |
Email: rrjanbiah-at-Y!com

Re: Session Security

Quoted text here. Click to load it

I was looking for a good secure login example and the example above
has popped up a few times on various sites. One site contained quite a
bit of criticism about the example above and even though this may be
an *angry* individual, I was wondering if anyone was aware of any
examples out there that are proven to be secure enough to implement on
a content management type website?


Re: Session Security

The address of the page (if any) which referred the user agent to the
current page. This is set by the user agent. Not all user agents will
set this, and some provide the ability to modify HTTP_REFERER as a
feature. In short, it cannot really be trusted.

This is a variable that you can check.
If the variable is NOT from your your domain? You could flip your
switches, re-reoute the user to the login or whatever you wanted...
Just build a simple URL parser and find out what domain... Be aware
you should check for MULTIPLE domains. I have seen stuff similar to:

Hope that helps...

Re: Session Security

Quoted text here. Click to load it

PHP is a server-side language.  The changes you want
have more to do with the client side than the server.

Quoted text here. Click to load it

There are some ways to ask the browser not to cache a page (especially
one that is dynamic) in HTTP headers.  This is more likely to be
successful if this is a https, not http, session.  Once you leave
it, BACK won't take you back there without re-issuing the request
that created it (which the server can redirect).

It is also possible to use sessions and time out a session.  If a
user comes back to user_view.php and the browser *DIDN'T* cache it
(if the browser DID cache it, the server won't see a request and
can't do a darned thing about it), but is re-issuing the request,
user_view.php can see that the session has expired and redirect it
back to login.php.  Normally each page refreshes the session, so
if the user keeps clicking often, the session can stay open indefinitely,
but if the user goes away for, say, 5 minutes, the session ends.

For security, provide a "LOG OUT" button on every page in the
secure session.  Of course, not all users will use it, but it's
still better than not having one.

Quoted text here. Click to load it

This is entirely a client-side issue.  Some people try to
solve this issue with Javascript, which is Turned Off(tm).

Quoted text here. Click to load it

Your server doesn't get told when the user leaves the site.
It's none of your business.

Quoted text here. Click to load it

Depending on how you define 'leaves the page', such a cookie may
*ALWAYS* expire, so there's no point in sending it in the first

                    Gordon L. Burditt

Re: Session Security

While the city slept, bonehead ( feverishly typed...

[login script]
Quoted text here. Click to load it

Hmm... My first thought was http_referrer, but that is not reliable. My
second thought, which may be better, was to pass a value to the page from
the links within your secure area, eg. <a
href="securepage.php?insite=true"> - then check to see if "insite" is set to
"true" in your pages. If not, log them out and redirect to the login page.
Still not completely secure though...

Quoted text here. Click to load it

When you start your session, write the current time stamp to the session.
Write a second value to the session which is the limit in seconds (so, for 5
minutes, 5*60 = 300). When a new page is opened, check the session, get a
new current time stamp, and if that is greater than the session time stamp +
the time limit, then the session has timed out. Log the user out and
redirect to the login page. Otherwise, write the new current time stamp to
the session and carry on. This is off the top of my head as I remember doing
it (fairly recently, but sleep and Marstons Pedigree have both occurred
since then!)

Hope that helps,

Nigel Moss
Mail address not valid., take the DOG. out!
In the land of the blind, the one-eyed man is very, very busy!

Site Timeline