1

I'd like your advice on what is used by robust frameworks/code (RoR, Zend, Symfony, Django..).

I use for my User Management system (understand: login, logout, is user logged, user_id, username, etc..;) a simple et tiny framework (userCake). I'm refactoring my code, making API for iPhone/Androi/Js use and I'd like to refresh this piece of code. I need to know if I just rearrange my classes, dependencies, classes and keep the same process OR if I need to change some things.

Current state of play
After the user successfully signIn, I retrieve all his data, serialize it, create a sessionID. I store this sessionID in a user Cookie and all the serialized data on a DB table that links the sessionID and the data.

Then, on my website, each time a page is requested, I retrieve from DB the serialized data matching the sessionID the user has in his cookie/session. I then make a query to be sure that the username and the hashed password matches in my db and my user is still active (not banned or removed). The same is made with my api (the iphone, android, js must give me the sessionID).

I've got a cronjob that deletes from my session Table the one which expired. When a user logs out, it's the same, I delete the line in my db and clear the user Cookie.

What I'm looking for
What I explained above seems good to me. But is it secure enough ? Is it really needed to double DB check each time that all is fine w/ username and password, can't I just trust the serialized data in my session table?

How all that is done in famous frameworks (Django, Rails, Symfony..)?

guillaumepotier
  • 7,369
  • 8
  • 45
  • 72

1 Answers1

1

First:

After the user successfully signIn, I retrieve all his data, serialize it, create a sessionID. I store this sessionID in a user Cookie and all the serialized data on a DB table that links the sessionID and the data.

When you "retrieve all his data" wasn't this from a database already? why would you then serialize the data and put it back into another part of the database? why not just store the user id in a session variable, and use this to query any user info you may need?

Second:

I then make a query to be sure that the username and the hashed password matches in my db

Where are you getting the username and password each request to test against the DB? it sounds as though you are testing the user and pass you store serialized in your db against the original info in the DB. If so, this will always match, as you set this yourself.

Third:

Why do you use a cron job to remove expired sessions? Sessions have a built in expiration mechanism.

Typically, you will want to secure your session using fingerprinting and/or trending. you can then simply save your user's primary db key in a session variable, and use that each request to retrieve any user data you may need. Also, you shouldn't need to create a session id and store it in a cookie yourself. PHP handles this mechanism for you when you call session_start(), and then store any session variables you want to save in the $_SESSION superglobal array. Most of the frameworks you mentioned are open source, so if you want, you can look through their code and see for yourself what they do.

dqhendricks
  • 19,030
  • 11
  • 50
  • 83