1

Apologies if this question has been asked before. I am having trouble finding an answer that explains things in a way I understand.

I am using a shared linux sever to host a php/mysql site or two. I have coded a login for the admin area that uses sessions (the session data is stored in a database) but the problem is that the sessions timeout after 20 or so minutes. I have spoken to the hosting provider and as far as I can tell there is no way to change this. I have tried changing the gc_maxlifetime in htaccess and individual php.ini files (they either break the system or don't work). The hosting provider confirmed that my attempts were probably futile.

So I have switched to using cookies as a test. However I am concerned that there is now a security issue. The cookies I store (username/shar encrypted password, user agent/remote_address, a token and some time related items) are all AES encrypted in the cookies, I also use some salts, IP checks and a lock down after a number of bad login attempts.

The token is changed even login and is stored in the database to be compared that is really doing any protection, the rest of the items are just making sure the right data is being displayed for the user that is logged in. I am concerned that the token is the only real piece of protection I have. Given my constraints with the host I was hoping that I could get some suggestions/help or pointed to a piece of code that provides a better solution or at least adds to what I have done.

Perhaps I have gone about it the wrong way entirely. Just to re-iterate as far as I can tell I can't seem to get sessions to stop timing out after 20 minutes :(.

Thanks for any help in advance.

kaliok
  • 11
  • 4
  • You should ask your provider to explain the reason for why it is not possible. – Gumbo Mar 27 '12 at 17:28
  • @Gumbo the issue I am having is actually happening with multiple hosting providers I use, they are well known providers in the UK. I have asked them why before, and they say that is the way their servers are set up - and don't give any more info than that! I have tried to reset in htaccess using - php_value session.cookie_lifetime 3600 but get an interal server error. As for php.ini adding my own local version but that also doesn't seem to work :(. I appreciate that one answer is to move hosts - I find it strange other people don't have the same issue with a large hosting provider like this. – kaliok Mar 28 '12 at 12:00

1 Answers1

1

That is an awful method of generating a session id and should never be used for any reason. The session id never expires and when its cracked the attacker has the means to log in again. To top it off its larger than it needs to be.

A Session ID must always be a cryptographic nonce. PHP's method of generating a session token isn't great, but it can be improved. You can use /dev/random as a source of entropy which helps.

You shouldn't have to reinvent the wheal to solve this problem. You should be able to set the session.cookie_lifetime and session.gc_maxlifetime values and rely upon session_start() and the $_SESSION super global. You might be interested in this post on PHP Sessions.

If you really want to build your own session handler create a sql table. For this table use a key as the session id, and generate it with session_id(). Use PHP's setcookie(), make sure to set the security flags, like HTTPOnly and the Secure bit. Insert a new record into the database, make sure it has a timeout value. The biggest problem with this login system is sql injection because an attacker could obtain the session id and login without having to crack a password hash.

Community
  • 1
  • 1
rook
  • 66,304
  • 38
  • 162
  • 239
  • hi Rook, thanks for your quick response. I'm afraid I am still a little lost. I did see the post on sessions that you mentioned before but I was unable to get the session to last past the 20 minutes I mentioned. Perhaps I was putting the code in the wrong place. I am also not quite sure how to implement the sql table session handler suggestion that you made - I used the following idea - http://shiflett.org/articles/storing-sessions-in-a-database - and that seems to work. However - I still have the same problem with timeouts from the hosting provider. Was hoping to get help with the cookies. – kaliok Mar 26 '12 at 23:01
  • @kaliok, i'm sorry you have to be more specific. Its just a cookie that contains a very large random number and a sql query pull up the state, doesn't get much more simple than that. – rook Mar 26 '12 at 23:03
  • Thanks again. I am trying I promise but I'm not sure what you mean when you say I should be more specific. Is the dev/random the large random number you are talking about - if so are you saying I should put that in my cookie? – kaliok Mar 26 '12 at 23:15
  • @kaliok You could, but its easier to rely upon PHP's cookie generation. In the php.ini you can set an entropy source for /dev/random. Your host should be doing this, but its not default. – rook Mar 27 '12 at 02:07
  • apologies for still not quite understanding but as far as I am able to tell I can't change the main php.ini file and I have not had any success adding a php.ini file to the directory where I want sessions to work. I am also still confused about what you are saying about the cookie login system I am testing. – kaliok Mar 27 '12 at 06:42
  • @kaliok Sounds like you have bigger problems than just a simple coding problem. – rook Mar 27 '12 at 15:16
  • ok...so can I assume then that you are saying that there is nothing I can do to make a login secure if I just use cookies? – kaliok Mar 27 '12 at 18:25