Atli's Profile User Rating: *****

Reputation: 3803 Guru
Group:
Moderators
Active Posts:
6,658 (3.79 per day)
Joined:
08-June 10
Profile Views:
85,983
Last Active:
User is online 26 minutes ago
Currently:
Viewing Board Index

Previous Fields

Country:
IS
OS Preference:
Linux
Favorite Browser:
Opera
Favorite Processor:
Intel
Favorite Gaming Platform:
PC
Your Car:
Toyota
Dream Kudos:
275
Expert In:
PHP, Databases, Web Development
Icon   Atli has not set their status

Posts I've Made

  1. In Topic: Destroying sessions on user logout.

    Posted 31 Mar 2015

    I see what you mean with the session fixation issue.

    Its pretty easily defeated, though, by simply refreshing the session ID on successful user login. If you take that a step further and refresh the session ID on each request, that should neutralize pretty much any attack that relies on the attacker knowing the session ID. They'd have to manage to figure out the ID after the user logs in, and then use that ID before the use has a chance to make a new request.

    I guess it would be theoretically possible for an attacker to intercept the user's traffic and thus access a valid session ID, or by use of some malware find it on the user's end, but if they have that sort of access, it would be just as easy to steal the actual password as the user logs in, and log in themselves.

    Quote

    I assume you are knowledgeable enough to know that most of the hacks regarding sessions are to get a hold of a valid session to start doing the bad stuff. If there are so many hacks just to get it, there must be a reason why. By leaving a session open after the valid user has come and gone, you eliminate much of the hard work for the hacker.

    Getting a hold of a valid session isn't usually problem though. Most sites will issue you a session ID right as you enter the site, or at least as you attempt to log in. Stealing an old session ID would hardly ever be necessary. - Even the owasp.org site issues you a session ID as you enter the login form :)

    In the context of session fixation and even session hijacking, as I understand it, issuing a session ID before the user has been authenticated would be just as dangerous as leaving the session intact after logout.
  2. In Topic: Destroying sessions on user logout.

    Posted 31 Mar 2015

    OK lets step back then to a case where user logout means everything in the session is cleared out.

    Lets assume my code puts all it's session data in an array stored in $_SESSION['appData'], and I clear that out during logout with unset($_SESSION['appData']).

    What are the security risks I face if I leave the session in that state?
  3. In Topic: Destroying sessions on user logout.

    Posted 31 Mar 2015

    We're not talking about two separate sessions. The admin is the player; there aren't two separate browsers; it's all happening on one page, for one person. The admin would be logging in while playing, through a modal window that runs through AJAX.

    The session for this user would essentially look like this while the admin panel is open and logged in:
    $_SESSION = [
        "game_data" => [
            "player" => "Uberplayer 1337",
            "posx" => 1500,
            "posy" => -330,
            "direction" => 270,
            // etc...
        ],
        "admin" => [
            "name" => "admin_user_1",
            "last_seen" => "2015-03-31 00:00:00"
        ]
    ];
    
    


    And on logout, to only log out of the admin panel but not destroy the game data, the code would simply: unset($_SESSION["admin"]).
  4. In Topic: Destroying sessions on user logout.

    Posted 31 Mar 2015

    Consider this scenario:

    I once worked on a game site, where the actual game was not behind a login. Users entered the site, picked a username, and then started playing. The whole thing was AJAX driven and maintained the game state for the user in the PHP session.

    It wasn't a persistent thing; every user was temporary and stopped existing with the current session. Therefore, no login, and no logout; no sensitive data to be protected.

    However there were also certain admin sections to control the game, which did require use authentication. That login system was still completely separate from the game state. A player would click a button, login through a modal, perform whatever admin actions were required through that modal, and then logout by closing the modal.

    If the admin system were to destroy the session on logout, it would have also destroyed the current gamin session for that user, and require the user to reload the game and start a new gaming session. That would not go over well with those players.
  5. In Topic: PHP MySQL login form

    Posted 31 Mar 2015

    Note that I've moved my discussion with benanamen, on the merits of destroying the session, out of this thread into it's own thread, over here. Don't want to hijack this thread with that discussion.

My Information

Member Title:
D.I.C Lover
Age:
28 years old
Birthday:
September 5, 1986
Gender:
Location:
Iceland
Full Name:
Atli Ţór Jónsson
Years Programming:
12
Programming Languages:
Mainly: PHP, SQL (MySQL, MSSQL, PostgreSQL), Web Development, (HTML, CSS, Javascript, jQuery).

Additionally: C#, VB.NET, Java, Node.js, ActionScript 3, LUA, C/C++, Python.

Contact Information

E-mail:
Private
Yahoo:
Yahoo  atli.jonsson@ymail.com
Twitter:
Atli_Thor

Comments

  • (2 Pages)
  • +
  • 1
  • 2
  1. Photo

    Anuraj23 Icon

    24 Nov 2012 - 00:43
    hi
  2. Photo

    Atli Icon

    21 Sep 2012 - 03:19
    Hey lyster. Please post questions like that in the forums. That's what they're there for.
  3. Photo

    lyster Icon

    21 Sep 2012 - 00:40
    i just can't figure out what are the possible tables,,i want to know normalization well..u_u
  4. Photo

    lyster Icon

    21 Sep 2012 - 00:34
    hi there mr. atli..i hope you could give me some advices and idea on how to make an erd on my mini mortuary_system,thanks god bless you..
    by the way im a student of a state college here in the philippines.
  5. Photo

    kimimimi Icon

    26 Aug 2012 - 00:37
    please help me
  6. Photo

    xenoslash Icon

    19 Jul 2012 - 23:35
    You are quite possibly the most helpful member of the community. I wish I could +1 you more than once for every long (and useful!) post you make.
  7. Photo

    Maryam.m Icon

    23 Jun 2012 - 10:52
    hey i understood what should i do!!!
    i'm so happy :D :D
    tnx
  8. Photo

    polyosis Icon

    11 Jun 2012 - 16:49
    I would like to thank you on your advice with my site path and installation problems, you are most kind my friend.
  9. Photo

    Atli Icon

    14 Apr 2012 - 05:22
    Yea it seems to like you, Dimitri ;)
  10. Photo

    DimitriV Icon

    08 Apr 2012 - 19:20
    Your avatar… it blinked at me.
  11. Photo

    Atli Icon

    06 Nov 2011 - 19:49
    Hehe. Thanks guys :)
  12. Photo

    Dogstopper Icon

    06 Nov 2011 - 19:19
    Lookin' a little blue there. Cheer up man! You're a mod! Congratz!
  13. Photo

    codeprada Icon

    06 Nov 2011 - 18:34
    It's about time. Congrats on reaching blue status.
  14. Photo

    n00l3 Icon

    05 Sep 2011 - 12:59
    Happy birthday! :D
  15. Photo

    cupidvogel Icon

    03 Sep 2011 - 23:06
    I can't seem to like your reply to my jQuery post an hour ago (fantastic explanation it was), because the Javascript in my browser is somewhat malfunctioning. I will like it later, ok?
  • (2 Pages)
  • +
  • 1
  • 2