Destroying sessions on user logout.

  • (3 Pages)
  • +
  • 1
  • 2
  • 3

32 Replies - 2631 Views - Last Post: 31 March 2015 - 07:10 PM

#16 benanamen  Icon User is offline

  • D.I.C Head

Reputation: 14
  • View blog
  • Posts: 120
  • Joined: 28-March 15

Re: Destroying sessions on user logout.

Posted 31 March 2015 - 11:43 AM

View PostArtificialSoldier, on 31 March 2015 - 11:35 AM, said:

Quote

If I log into the app and you log into the same app we are each assigned our OWN unique session ID.

Yes, I understand that. I'm talking about multiple pieces of code all using the same session for the same user. It can be a problem if any of them decides to destroy the session. I'm having trouble remembering the details of this, but I've been burned by this once. I can't remember what specifically I was working on, but I was saving data in the session and some other code in some other part of the application decided to just destroy the entire session when they were done using it, which of course clobbered all of my data also. I can't remember if that was a version of Wordpress or what, I think it actually might have been CubeCart that I was working with. That other piece of code should not have been using session_destroy, it should have used unset on only the specific values that it was working with.


Not sure what you were working on, but I am only and specifically referring to using session destroy on the logout. When you logout, you are done with everything. There is no longer a need for session anything at that point.

You will most definitely have problems if the code uses session destroy anywhere other than logging out. It sounds like thats what was going on with what you were working on. I cant think of any reason at the top of my head to use session destroy anywhere except for logging out.
Was This Post Helpful? 0
  • +
  • -

#17 ArtificialSoldier  Icon User is offline

  • D.I.C Lover
  • member icon

Reputation: 1789
  • View blog
  • Posts: 5,702
  • Joined: 15-January 14

Re: Destroying sessions on user logout.

Posted 31 March 2015 - 12:02 PM

Quote

Not sure what you were working on, but I am only and specifically referring to using session destroy on the logout. When you logout, you are done with everything. There is no longer a need for session anything at that point.

I think that depends on the application. In general that's probably true, but I think there are some valid use cases where you're still tracking data in the session even if the user is not logged in. It could just be for caching purposes. There are also some use cases where people don't log in at all. I think it was in fact CubeCart that I was working with, although this was something like 10 years ago. Consider the case where a user is adding data to a shopping cart but they aren't logged in, for example. There are some situations where you might want to remove some data from the session but not just destroy the whole thing. Especially for applications that are specifically designed to be extended by other programmers, I still think that logging out means that you unset the data that you specifically set in the session, the data that tracks who is logged in. Other plugins or modules can listen for a logout event if they also want to remove their data if it's associated with the current login session. I don't agree with the idea that the only purpose of the session is to track who is logged in, there are plenty of other uses for it where destroying the entire thing on log out wouldn't make sense.
Was This Post Helpful? 0
  • +
  • -

#18 benanamen  Icon User is offline

  • D.I.C Head

Reputation: 14
  • View blog
  • Posts: 120
  • Joined: 28-March 15

Re: Destroying sessions on user logout.

Posted 31 March 2015 - 12:21 PM

Quote

I don't agree with the idea that the only purpose of the session is to track who is logged in

I never said that at all. I said session destroy on logout.

Quote

There are also some use cases where people don't log in at all.

EVERYTHING I have said has nothing to do with this scenario. Only logging in/logging out and the use of session destroy as part of the logout code.

Quote

Consider the case where a user is adding data to a shopping cart but they aren't logged in

This does not apply to this whatsoever. Logged in user ONLY.

Quote

I still think that logging out means that you unset the data that you specifically set in the session
This is absolutely true, but only %50 of the logout procedure, the second part is calling session destroy right after it. There is a particular reason why you would not do session destroy all by itself. Do you know what that is?

I will pay anyone a $100 from my pay pal if they can show me where a login session should remain open after logging out. And I dont mean anything like logging/saving the session id. I mean an OPEN session between the client (Browser) and the server.
Was This Post Helpful? 0
  • +
  • -

#19 Atli  Icon User is offline

  • Enhance Your Calm
  • member icon

Reputation: 4238
  • View blog
  • Posts: 7,216
  • Joined: 08-June 10

Re: Destroying sessions on user logout.

Posted 31 March 2015 - 12:38 PM

Consider this scenario:

I once worked on a game site, where the actual game was not behind a login. Users entered the site, picked a username, and then started playing. The whole thing was AJAX driven and maintained the game state for the user in the PHP session.

It wasn't a persistent thing; every user was temporary and stopped existing with the current session. Therefore, no login, and no logout; no sensitive data to be protected.

However there were also certain admin sections to control the game, which did require use authentication. That login system was still completely separate from the game state. A player would click a button, login through a modal, perform whatever admin actions were required through that modal, and then logout by closing the modal.

If the admin system were to destroy the session on logout, it would have also destroyed the current gamin session for that user, and require the user to reload the game and start a new gaming session. That would not go over well with those players.
Was This Post Helpful? 0
  • +
  • -

#20 modi123_1  Icon User is online

  • Suitor #2
  • member icon



Reputation: 13400
  • View blog
  • Posts: 53,482
  • Joined: 12-June 08

Re: Destroying sessions on user logout.

Posted 31 March 2015 - 12:39 PM

Off the top of my head - in cases of switching users accounts that may contain different roles (say for testing), keeping server specific apps running but not having your account info up all willy-nilly, html mobile apps that are suspended in processing, but not destroyed.
Was This Post Helpful? 0
  • +
  • -

#21 benanamen  Icon User is offline

  • D.I.C Head

Reputation: 14
  • View blog
  • Posts: 120
  • Joined: 28-March 15

Re: Destroying sessions on user logout.

Posted 31 March 2015 - 01:01 PM

Quote

If the admin system were to destroy the session on logout, it would have also destroyed the current gamin session for that user, and require the user to reload the game and start a new gaming session. That would not go over well with those players.


That is just not true at all. When the admin logs out, the ONLY session destroyed is the admin's session. (His unique session id which is also a file) The user has his own unique session id as well as the admin. Technically in part, a session is an actual file on the server with cleartext data in it. Admins filename for example is abc_session, players session file is xyz_session. ONLY the file abc_session will be deleted from the server with session destroy ON LOGGING OUT. the file xyz_session is never touched and has no idea that any other session even exists or existed.
Was This Post Helpful? 0
  • +
  • -

#22 Atli  Icon User is offline

  • Enhance Your Calm
  • member icon

Reputation: 4238
  • View blog
  • Posts: 7,216
  • Joined: 08-June 10

Re: Destroying sessions on user logout.

Posted 31 March 2015 - 01:08 PM

We're not talking about two separate sessions. The admin is the player; there aren't two separate browsers; it's all happening on one page, for one person. The admin would be logging in while playing, through a modal window that runs through AJAX.

The session for this user would essentially look like this while the admin panel is open and logged in:
$_SESSION = [
    "game_data" => [
        "player" => "Uberplayer 1337",
        "posx" => 1500,
        "posy" => -330,
        "direction" => 270,
        // etc...
    ],
    "admin" => [
        "name" => "admin_user_1",
        "last_seen" => "2015-03-31 00:00:00"
    ]
];



And on logout, to only log out of the admin panel but not destroy the game data, the code would simply: unset($_SESSION["admin"]).
Was This Post Helpful? 0
  • +
  • -

#23 benanamen  Icon User is offline

  • D.I.C Head

Reputation: 14
  • View blog
  • Posts: 120
  • Joined: 28-March 15

Re: Destroying sessions on user logout.

Posted 31 March 2015 - 01:10 PM

Quote

Off the top of my head - in cases of switching users accounts that may contain different roles (say for testing), keeping server specific apps running but not having your account info up all willy-nilly, html mobile apps that are suspended in processing, but not destroyed.


Please give a more detailed example. I am not getting what your saying.

As far as switching roles, you dont do it by destroying a session. That is the same as logging out and logging back in. That is also not a good way to do role switching. All you have to do is put all the persons role id's in a role session array on login and then update the logged_in_as_role session var to any of the id's in the array.

Quote

I will pay anyone a $100 from my pay pal if they can show me where a login session should remain open after logging out. And I dont mean anything like logging/saving the session id. I mean an OPEN session between the client (Browser) and the server.


Just an update to the above offer. It is valid for three days including today. I dont want to still be dealing with it 5 years from now.
Was This Post Helpful? 0
  • +
  • -

#24 modi123_1  Icon User is online

  • Suitor #2
  • member icon



Reputation: 13400
  • View blog
  • Posts: 53,482
  • Joined: 12-June 08

Re: Destroying sessions on user logout.

Posted 31 March 2015 - 01:13 PM

Quote

That is also not a good way to do role switching.

Yawn - I don't quite care enough to bogged down in the the granularity of 'good-enough way' or not.
Was This Post Helpful? 0
  • +
  • -

#25 benanamen  Icon User is offline

  • D.I.C Head

Reputation: 14
  • View blog
  • Posts: 120
  • Joined: 28-March 15

Re: Destroying sessions on user logout.

Posted 31 March 2015 - 01:33 PM

I am tiring of this subject anyways. The fact of the matter is that not destroying a users logged in session on logout is a security risk. That is not my opinion or belief. It is just a fact and a provable, demonstrable one at that.

If anyone cares to research it, the info is out there.
Was This Post Helpful? 0
  • +
  • -

#26 ArtificialSoldier  Icon User is offline

  • D.I.C Lover
  • member icon

Reputation: 1789
  • View blog
  • Posts: 5,702
  • Joined: 15-January 14

Re: Destroying sessions on user logout.

Posted 31 March 2015 - 03:22 PM

Quote

I will pay anyone a $100 from my pay pal if they can show me where a login session should remain open after logging out.

I think you're going to move the goal posts. You're going to say something about it not being the right way to do something, or whatever else. Atli gave a fine example - the application is tracking data in the session while the user is not logged in, then the user logs in, they do something, log out, and you want to remove the session login data but don't want to also destroy the data they had before logging in. That's a perfectly fine example, but you'll say something like that's not the right way to do it, you should be using one session for the data and another session for the login information (which is completely wrong), or whatever else. It's not a real offer, you'll just counter with a reason why it's a bad example even though it's real-world.

Here's a specific example, like Atli gave: a user comes to your site. You start a session and save the HTTP "referer" header so that you know where they came from. They start using your site. They login, do whatever, log out. They're still using the site though, just no longer logged in. They go perform some specific action that you're tracking, maybe they fill out a form, or watch a video, or whatever. You're using Google Analytics to track specific events, like watching the video. Whenever someone watches the video you have an analytics event to record the original referrer so that you know from where this person came to your site prior to watching the video. If you had destroyed the entire session when they logged out then you would not have that referrer data to send with the event tracking.

You have a website that has chatting on it, using ajax. People can come and enter a group chat and chat with everyone in the room, similar to IRC. They don't need to be logged in to chat. Whenever someone submits a piece of text for the chat you save it in the session, so that you can avoid having someone send the same message over and over. If they submit a message and it's the same as what's in the session, you ignore it. You want to use the session because it's more efficient than an extra database lookup for the previous message every time they submit a new message. Again, while they're chatting they can log in to another portion of the site, do some work, and log out, while still chatting. Deleting the entire session when they log out, again, also deletes the data that was not used for login tracking.

It's trivial to come up with any number of examples like this.
Was This Post Helpful? 0
  • +
  • -

#27 benanamen  Icon User is offline

  • D.I.C Head

Reputation: 14
  • View blog
  • Posts: 120
  • Joined: 28-March 15

Re: Destroying sessions on user logout.

Posted 31 March 2015 - 04:45 PM

@ArtificialSoldier, I commend you on specific your examples. But.... if you refer to one or more of my posts I have more than emphasized that I am talking about a login/logout scenario ONLY.


MY QUOTES:

Quote

Only logging in/logging out and the use of session destroy as part of the logout code.


Quote

EVERYTHING I have said has nothing to do with this scenario. Only logging in/logging out and the use of session destroy as part of the logout code.


What you have presented is not just a logging in/logging out scenario. We have really gotten way off track of the point I was making in the first place. Leaving an open session session connection between the client and the server is a security risk. No opinion, no belief, just a fact. If you wish to continue discussing that we can, otherwise I am a bit burned out on this.

This post has been edited by benanamen: 31 March 2015 - 04:48 PM

Was This Post Helpful? 0
  • +
  • -

#28 Atli  Icon User is offline

  • Enhance Your Calm
  • member icon

Reputation: 4238
  • View blog
  • Posts: 7,216
  • Joined: 08-June 10

Re: Destroying sessions on user logout.

Posted 31 March 2015 - 04:55 PM

OK lets step back then to a case where user logout means everything in the session is cleared out.

Lets assume my code puts all it's session data in an array stored in $_SESSION['appData'], and I clear that out during logout with unset($_SESSION['appData']).

What are the security risks I face if I leave the session in that state?
Was This Post Helpful? 0
  • +
  • -

#29 ArtificialSoldier  Icon User is offline

  • D.I.C Lover
  • member icon

Reputation: 1789
  • View blog
  • Posts: 5,702
  • Joined: 15-January 14

Re: Destroying sessions on user logout.

Posted 31 March 2015 - 05:03 PM

From what I understand, all of the possible risks come from other vulnerabilities present in the "noob application", and that if those vulnerabilities do not exist then I don't see a problem with an existing session. In other words, the problem is not the open session itself, it is an open session combined with other vulnerabilities that shouldn't be there in the first place.
Was This Post Helpful? 0
  • +
  • -

#30 benanamen  Icon User is offline

  • D.I.C Head

Reputation: 14
  • View blog
  • Posts: 120
  • Joined: 28-March 15

Re: Destroying sessions on user logout.

Posted 31 March 2015 - 05:34 PM

View PostAtli, on 31 March 2015 - 04:55 PM, said:

OK lets step back then to a case where user logout means everything in the session is cleared out.

Lets assume my code puts all it's session data in an array stored in $_SESSION['appData'], and I clear that out during logout with unset($_SESSION['appData']).

What are the security risks I face if I leave the session in that state?


I will refer you to my detailed post from this morning.

I assume you are knowledgeable enough to know that most of the hacks regarding sessions are to get a hold of a valid session to start doing the bad stuff. If there are so many hacks just to get it, there must be a reason why. By leaving a session open after the valid user has come and gone, you eliminate much of the hard work for the hacker.

** On another note, I have attached a very good read on sessions hacking to this post. I think everyone would benefit from reading it.

Attached File(s)


This post has been edited by benanamen: 31 March 2015 - 05:35 PM

Was This Post Helpful? 0
  • +
  • -

  • (3 Pages)
  • +
  • 1
  • 2
  • 3