[PHP] Best way to transfer session IDs
Hi, I'm trying to track session data and merge several related services through a common server-side session (using Apache). One condition is that it won't use cookies to store the user data OR the session ID. Another is that the services we're merging use different languages, including PHP and Perl (Apache::Session module) so whatever I use needs to be supported by both of these. My question - what is the best way to "know" the session id between pages? Posting it in the URL and using $_GET["PHPSESSID"] is one solution, but this seems like a hassle and is also open to attack if someone could "guess" a valid session ID. Or, would it better to avoid transferring session ids altogether and generate unique "names" on each page? What works well for generating the name? I'm thinking something like a hash of their IP plus a private key, but maybe someone knows problems with this or has a better/easier solution. Also, outside of changing session.use_cookies to false and session.save_path to a PHP- and Perl- happy location, are there any other php.ini or Apache settings I should be changing? Any comments or thoughts are greatly appreciated! -- Matt Blasinski (mbv) Internet Infrastructure Applications Technology Division of Information Technology 3121 Computer Science and Statistics 1210 West Dayton Street Madison WI 53706 Work (608) 262-2286 Cell (608) 206-4098 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Best way to transfer session IDs
Thanks for the response Chris, that's just the type of thing I was looking for! So, I'm thinking a plausible session id could be made by hashing their identification (to make it useful to the rightful owner only) with a private key (to make it hard to get and guess). I think the identification could be their IP, user agent, and maybe one or two more constant headers. The private key, of course, could be anything unguessable and kept secure. This leads me to one more question - would it be better to pass this by PUTing it in the URL or generating it at the start of each page. Passing is pretty simple, but I think generating it has the added benefit of the end user being unable to forge it because it never leaves the server or comes from the client. Does this seem reasonable and worthwhile? (I have a habit of overcomplicating things like this :-)) Thanks again, Matt Chris Shiflett wrote: --- "Matthew A. Blasinski" <[EMAIL PROTECTED]> wrote: My question - what is the best way to "know" the session id between pages? Posting it in the URL and using $_GET["PHPSESSID"] is one solution, but this seems like a hassle and is also open to attack if someone could "guess" a valid session ID. As a side note, you should probably use a word like "put" to describe placing data in the URL like that, because "post" refers to a different method altogether. :-) As for session IDs, there are basically three ways you can have the client send that to you: 1. In a Cookie header 2. In the URL 3. In the content section (POST) These are all quite open to attack, especially over non-SSL connections (which is the more popular case). In your case, cookies are probably not an option if you are dealing with multiple domains. At the very least, they can only help to track a session on one domain, and you'll have to develop a way to transfer the session across domains anyway. POST is sort of a hassle, because you have to make sure every request from your users is a POST. So, sending data in the URL is probably your best choice. Try to focus on two tasks as you try to secure this data transfer: 1. Try to make the session ID hard to get and hard to guess. 2. Try to make a stolen session ID useless to anyone but the rightful owner. Too often, developers try to focus on (and depend on) task 1. While trying to keep session IDs secret is good, task 2 is at least equally as important. How do you achieve this? Consider an HTTP request from your legitimate user: GET /blah.php?session_id=1234 HTTP/1.1 Host: example.org User-Agent: Mozilla (Gecko) Linux 2.4.1.2.3.4 There are usually many more headers, but this example will suffice. Now, depending on specific HTTP headers is never a good plan (you might notice people warning against depending on the Referer header), but this is only if you do this for every user. The headers that the *same* user sends are going to be much more consistent. In the above example, you can be pretty certain that, regardless of HTTP proxies or anything else, the user is going to send the same User-Agent header in each request. So, why not store this in the session (on the server), and check to make sure it matches every time? This approach shouldn't adversely affect your users, but it should complicate impersonation. And that is how you play the game of security - try to make things easy for the good guys and hard for the bad guys. By adding this simple User-Agent check, a bad guy can't just use a stolen session ID to impersonate someone. The bad guy has to also send the same User-Agent header. Can this be done? Sure, and it's not too hard, but it is something, and everything helps. Hopefully this can get your creative juices flowing. Chris = Become a better Web developer with the HTTP Developer's Handbook http://httphandbook.org/ -- Matt Blasinski (mbv) Internet Infrastructure Applications Technology Division of Information Technology 3121 Computer Science and Statistics 1210 West Dayton Street Madison WI 53706 Work (608) 262-2286 Cell (608) 206-4098 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Best way to transfer session IDs
Chris Shiflett wrote: --- "Matthew A. Blasinski" <[EMAIL PROTECTED]> wrote: So, I'm thinking a plausible session id could be made by hashing their identification (to make it useful to the rightful owner only) with a private key (to make it hard to get and guess). I think the identification could be their IP, user agent, and maybe one or two more constant headers. The private key, of course, could be anything unguessable and kept secure. A few comments... This session ID doesn't have to be generated from any user data. It can be a completely random and unique string that you generate for any user who arrives at your site without an active session. Even though it is probably very difficult to reverse or guess a valid ID from your method above, the extra risk isn't necessary. Also, the IP address isn't a very good piece of data to use, because it is not necessarily consistent. So, while it might make things harder for the bad guys (to spoof the good guy's IP), it could also can make things hard for the good guys (they are AOL users, lose their modem connection, etc.). Thanks for everyone's responses. I was thinking the IP would be usable for tracking users, and a lot of people have pointed out that's not the case. So, I'll probably go with passing it in the URL. Thanks again, -- Matt Blasinski (mbv) Internet Infrastructure Applications Technology Division of Information Technology 3121 Computer Science and Statistics 1210 West Dayton Street Madison WI 53706 Work (608) 262-2286 Cell (608) 206-4098 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Changing Bytes to KB, to megs, to gigs.
Philip J. Newman wrote:
My goal is to input the amount of Bytes used by a user as $inputbox and
calculate how many kbs,megs,gigs along with $cost for the price per meg.
Questions?
1. Should I be dividing by 1024 or 1000? This was passed to me by word of
mouth ...
2. Any way of rounding to 2 or 3 digests after the decimal point.
3. to remove any , from the inputted string.
1) 1024 is more correct, so, use it unless what you're given was
(incorrectly) calculated with 1000.
2) round($number, 2) - http://us4.php.net/manual/en/function.round.php
3) Use a search and replace (regular expression) to replace commas with
empty strings. ereg_replace("," "", $string) -
http://us4.php.net/manual/en/function.ereg-replace.php
HTH,
--
Matt Blasinski (mbv)
Internet Infrastructure Applications Technology
Division of Information Technology
3121 Computer Science and Statistics
1210 West Dayton Street
Madison WI 53706
Work (608) 262-2286
Cell (608) 206-4098
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Finding the sizeof a variable....
Hi, I'm wondering if there's something similar to the C sizeof operator in PHP? I would like to find out how much space in memory a variable is actually using (and possibly adjust the max memory per script accordingly). No, sizeof() http://us3.php.net/sizeof is not what I want :-( Thanks! Matt -- Matt Blasinski (mbv) Software Engineer Internet Infrastructure Applications Technology Division of Information Technology 3121 Computer Science and Statistics 1210 West Dayton Street Madison WI 53706 Work (608) 262-2286 Personal Cell (608) 347-6940 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
