0

I have to make a timetable system and ive made a login in page which works, but then i need to use sessions to know whos login and if they are still logged in but the cookies have to be disabled so I have tried saving the SessionID's to the MySQL database but i dont know how to then retrieve that session ID on another page, so any ideas will help? not sure if im on the right lines at all as well

senia
  • 37,745
  • 4
  • 88
  • 129
George Hill
  • 1
  • 1
  • Could you give a reason, why cookies have to be disabled? Other methods of passing the session-id are unsecure and vulnerable to session hijacking. Even strict browser settings normally allow short lived session-cookies (deleted after closing the browser), they are not the same as permanent cookies. – martinstoeckli Dec 14 '12 at 20:31
  • Just ive been asked to produce a system that can used when cookies are disabled – George Hill Dec 14 '12 at 20:47

1 Answers1

2

You'd need to pass the session ID through the url, like so:

http://local.domain/index.php?sessionID=7387837rhdfjfytyfegwfvkewbf

Obviously the above GET request makes the session ID fairly obvious. Really though, in normal circumstances, only the users themselves will see it. So the security implications aren't terribly bad, but they are there for the malicious, to spoof a session.

Tips for using this approach:

  • Don't use incremental sessionIDs (100, 101, 102) - Generate random ID's
  • Although you could use a POST request on every page, it doesn't help security and it'll probably upset/antagonise your user (Consider back button presses)
  • Still maintain your session in the database, using the unique session ID from $_GET as the key
  • Ensure that the session times out, and quickly. Update the last_access time with each refresh to ensure an active user doesn't time out.
Rawkode
  • 21,990
  • 5
  • 38
  • 45
  • That's a wrong way. Bcoz it is preferred to not show your session ID. It should be remianed hidden. It may be made in use for hacking. And if you want to use your session id, why not use session_start() at top of page. – anuj arora Dec 14 '12 at 19:24
  • 2
    @anujarora PHP stores its session ID in a cookie. If cookies are disabled, then you can't store the session ID. That leaves passing it through the url as the only viable option. I agree its not safe, but `session_start();` has nothing to do with this question. You need that regardless of whether cookies are enabled or not. – War10ck Dec 14 '12 at 19:42
  • ok, i got that. and session_start(); is of no use. But I still say that this is not a good option. you can pass it as post values, or you can send a id at which the session is stored or you can encrypt the sessionID. – anuj arora Dec 14 '12 at 19:47
  • `POST` values aren't any more secure, they're just not as visible. Encrypting the `sessionID` wouldn't make it any more secure either. Encrypted, or not, it's still the key that can be used to unlock the front door, so to speak. – Rawkode Dec 14 '12 at 19:54
  • I have thought about doing it this way but like the comments have said its not very secure and i think it would be a better system if i used a database – George Hill Dec 14 '12 at 20:49
  • @GeorgeHill - A database is server side, but you need to pass the session-id from the browser back to the server, so your software running on the server can recognize the user. A database can do nothing to solve this problem. – martinstoeckli Dec 14 '12 at 20:53
  • Can some one have a look at this link http://www.linuxforu.com/2009/01/server-side-sessions/ I think it might be my solution but dont fully understand the code :S – George Hill Dec 14 '12 at 20:58
  • Having looked over that, albeit quickly, it appears that they're using the IP address of the client to recognise the session. This obviously isn't very secure either, as it could be a public computer or there could be multiple users behind a single router. – Rawkode Dec 14 '12 at 21:07
  • Yeah, just so confusing, just wish i could have cookies enabled – George Hill Dec 14 '12 at 21:14
  • @GeorgeHill - I think your best bet is, to use the session-id in the url as Rawkode suggested, but make your site HTTPS only. Then you can hope that no url's are leaking out through link sharing. Even better of course, convince your client that he increases security with allowing session-cookies. Depending on your website, HTTP authentication may be an option too. – martinstoeckli Dec 14 '12 at 21:17
  • @Rawkode - Another important point is to regenerate the session-id on the login page, otherwise _session-fixation_ is all to easy. – martinstoeckli Dec 14 '12 at 21:26
  • http://4rapiddev.com/php/php-store-session-in-mysql-database/ Can anyone tell me if this code will help me with my problem ? – George Hill Dec 14 '12 at 23:52
  • Still requires cookies, but I've already altered my answer with advice for using the url for your session. – Rawkode Dec 14 '12 at 23:53