NYCPHP Meetup

NYPHP.org

[nycphp-talk] sessions and application security

Chris Shiflett shiflett at php.net
Tue Jan 27 12:07:01 EST 2004 

--- Chris Hubbard <chubbard at next-online.net> wrote:
> So it's important to make the session management as strong as possible.
> One of the guys on the team advocates designing the application so it 
> doesn't use sessions, basically passing a token in the URL that tells 
> the server who the person is and where they are in the application.

What is this guy's definition of a session? It sounds to me like he simply
advocates passing session data back and forth across the public Internet
rather than keeping it on the server. Which sounds more secure? :-)

> The application when it's deployed will have two or three web servers 
> handling the traffic, with a separate Oracle server. We will have 
> multiple servers for two reasons, first handling the load, and second
> to provide some failover. So whatever mechanism we implement will need
> to scale.

I hate that word, scale. I think you just mean that the session mechanism
must function correctly in a clustered environment, right?

Keeping session data in a database is a convenient way to achieve this,
although there are other solutions as well. For example, msession is an
extension that was designed specifically to share session data among a
cluster of servers. I've never used it, but it might work well for you
(assuming the database solution doesn't).

Someone at a NYPHP had a pretty creative solution that basically achieved
server affinity at the application level. Maybe they'll speak up and
provide the details, but I remember it had something to do with setting a
cookie that indicated which server had the user's session. As I recall,
this worked well for this developer, and he had some decent traffic to
handle.

> We definitely don't want to make it easy for people to hijack the
> session.

I wrote an article recently on this that was intended to help get people
started thinking about session security. You can get it for free from:

http://www.phpmag.net/ssl/phppdf/

It's the free sample at the bottom, and the article is, "The Truth about
Sessions."

> Thoughts, suggestions, or even better what is the "best" way to do
> this?

What is best for one person isn't necessarily best for another. The
architect of any Web application is likely to be the most qualified person
to be deciding on the best session solution. All you need is a little
background information along with some suggestions and example solutions,
and you're set.

Just don't let anyone who suggests passing session data back and forth
across the Internet for every transaction be making decisions about
session security. :-)

Hope that helps.

Chris

=====
Chris Shiflett - http://shiflett.org/

PHP Security Handbook
     Coming mid-2004
HTTP Developer's Handbook
     http://httphandbook.org/

>From hans not junk at nyphp.com  Tue Jan 27 12:12:38 2004
Return-Path: <hans not junk at nyphp.com>
Received: from ehost011-1.exch011.intermedia.net (unknown [64.78.21.3])
	by virtu.nyphp.org (Postfix) with ESMTP id 7FE20A86D5
	for <talk at lists.nyphp.org>; Tue, 27 Jan 2004 12:12:38 -0500 (EST)
X-MimeOLE: Produced By Microsoft Exchange V6.5.6944.0
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Subject: RE: [nycphp-talk] OT:Virus Alert: MyDoom
Date: Tue, 27 Jan 2004 09:12:35 -0800
Message-ID: <41EE526EC2D3C74286415780D3BA9F8752B1C7 at ehost011-1.exch011.intermedia.net>
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
Thread-Topic: [nycphp-talk] OT:Virus Alert: MyDoom
Thread-Index: AcPk9ZZAZ3a8NyOtRcqeKmvUCdJ/AAAAwZuQ
From: "Hans Zaunere" <hans not junk at nyphp.com>
To: "NYPHP Talk" <talk at lists.nyphp.org>
X-BeenThere: talk at lists.nyphp.org
X-Mailman-Version: 2.1.2
Precedence: list
Reply-To: NYPHP Talk <talk at lists.nyphp.org>
List-Id: NYPHP Talk  <talk.lists.nyphp.org>
List-Unsubscribe: <http://lists.nyphp.org/mailman/listinfo/talk>,
	<mailto:talk-request at lists.nyphp.org?subject=unsubscribe>
List-Archive: <http://lists.nyphp.org/pipermail/talk>
List-Post: <mailto:talk at lists.nyphp.org>
List-Help: <mailto:talk-request at lists.nyphp.org?subject=help>
List-Subscribe: <http://lists.nyphp.org/mailman/listinfo/talk>,
	<mailto:talk-request at lists.nyphp.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Jan 2004 17:12:38 -0000


> This one seems to be really catching on.  We are getting a=20
> ton of these emails this morning. We allow ZIP files through and have
to,=20
> so we have some exposure with this virus.  People here are aware of
this=20
> issue, but you never know if everyone will think "virus" when that
juicy ZIP file is
> staring them in the face from their inbox.=20

I've set Outlook to filter messages with a size of between 29 and 31
kb... works like a charm so far.

But yeah, this one was hitting pretty hard.  The NYPHP lists are getting
slammed, but thankfully they are closed to non members :)

H

More information about the talk mailing list