Protecting your users session - url session vars / $_SESSION / $_COOKIE
I know this topic has come up before but there is a few issues that haven't been addressed ....
this topic kind of started between me and arnage in the chat box so i thought i would make it a topic so everyone can see this discussion.
First of all i would like to start out by saying by having url session variables is pretty much setting yourself up to be hacked via cross site scripting.
most people are aware about referrer ( $_SERVER['HTTP_REFERER'] ) but for the few that dont it passes the last address of the last site you visited to the new site...
An Easy Protection from this is to use a protection page where the url session is not passed to.
eg: if your url session variable is named $sid then you will require a page before you goto the next site that does not collect $sid via $_GET['sid']
Also you have to make sure no html injection can be made into your site.... this means protecting EVERY input a user can make (this includes ALL $_SERVER , $_SESSION , $_COOKIE , $_GET, $_POST , $_FILE, $_REQUEST etc) via htmlspecialchars() ... you should also use mysql_escape_string() on all these also.
DO NOT TRUST ANY INPUT A USER CAN MAKE
(even if you think theres no way of changing it in a million years)
Do you use [ img] bbcodes ? if so make sure this is also protected against referrer etc by using a GD library.
Q) Do you have image uploaders on your site? ... are they protected with GD library?
A) No i have uploaders on my site for all types of files..... Well your at risk from a XSS hole from people stealing your url session variables and even checking every MIME type will not help you as this can be spoofed
checking the digital signature of every file may help you as its doubtful anyone would go to so much trouble to steal a session of a wap site but even this can be spoofed :/
i know some people dont like using GD library on .gif as without the aid of imagemagick it stops the animation from playing (animations to show or be hacked.... your choice)
there is a few other methods of xss holes that also can be used against url session variables such as changing character encoding types etc .. which i havent mentioned but im trying to keep this from being to long a topic as people will not read all of this if i make it to long.
(these methods can also be used to bypass your spam/bad word protection also.)
you can protect your url session variables by protecting them by using a check against the browser name but pretty much everyone knows how to change your browser name these days...
you can also protect against the same way by checking against IP .... however if you do this you are at risk of losing members as some networks such as orange change there ip`s frequently
So the best option is to use $_SESSION or $_COOKIE to protect your users session....
whats the difference between $_SESSION and $_COOKIE?
$_SESSION is done via sever side where as $_COOKIE is client side (users browser) which can be easily changed by the user.
$_SESSION also requires Cookies to be enabled on the users browser.
So this means the initial session_id() gets stored as a $_COOKIE on the users browser and as we all know $_COOKIE`s can be edited by the user.
which its is wise to use session_regenerate_id() every page load to enable a Dynamic session...
How can $_SESSION be stolen ..... the main way a $_SESSION can be stolen is by being on shared Hosting by accessing the /tmp folder which is used by everyone... there is a few other methods that a hacker can use to impersonate a session
which is why it would be a good idea to use a Dynamic session and then store old sessions .... and log both users out if an old session is used. (log both out because the REAL USER might send the old session id and not the hacker)
Im going to stop here with this post as otherwise my post is going to be to long and people wont read it ... but i could keep going lol
this topic kind of started between me and arnage in the chat box so i thought i would make it a topic so everyone can see this discussion.
First of all i would like to start out by saying by having url session variables is pretty much setting yourself up to be hacked via cross site scripting.
most people are aware about referrer ( $_SERVER['HTTP_REFERER'] ) but for the few that dont it passes the last address of the last site you visited to the new site...
An Easy Protection from this is to use a protection page where the url session is not passed to.
eg: if your url session variable is named $sid then you will require a page before you goto the next site that does not collect $sid via $_GET['sid']
Also you have to make sure no html injection can be made into your site.... this means protecting EVERY input a user can make (this includes ALL $_SERVER , $_SESSION , $_COOKIE , $_GET, $_POST , $_FILE, $_REQUEST etc) via htmlspecialchars() ... you should also use mysql_escape_string() on all these also.
DO NOT TRUST ANY INPUT A USER CAN MAKE
(even if you think theres no way of changing it in a million years)
Do you use [ img] bbcodes ? if so make sure this is also protected against referrer etc by using a GD library.
Q) Do you have image uploaders on your site? ... are they protected with GD library?
A) No i have uploaders on my site for all types of files..... Well your at risk from a XSS hole from people stealing your url session variables and even checking every MIME type will not help you as this can be spoofed
checking the digital signature of every file may help you as its doubtful anyone would go to so much trouble to steal a session of a wap site but even this can be spoofed :/
i know some people dont like using GD library on .gif as without the aid of imagemagick it stops the animation from playing (animations to show or be hacked.... your choice)
there is a few other methods of xss holes that also can be used against url session variables such as changing character encoding types etc .. which i havent mentioned but im trying to keep this from being to long a topic as people will not read all of this if i make it to long.
(these methods can also be used to bypass your spam/bad word protection also.)
you can protect your url session variables by protecting them by using a check against the browser name but pretty much everyone knows how to change your browser name these days...
you can also protect against the same way by checking against IP .... however if you do this you are at risk of losing members as some networks such as orange change there ip`s frequently
So the best option is to use $_SESSION or $_COOKIE to protect your users session....
whats the difference between $_SESSION and $_COOKIE?
$_SESSION is done via sever side where as $_COOKIE is client side (users browser) which can be easily changed by the user.
$_SESSION also requires Cookies to be enabled on the users browser.
So this means the initial session_id() gets stored as a $_COOKIE on the users browser and as we all know $_COOKIE`s can be edited by the user.
which its is wise to use session_regenerate_id() every page load to enable a Dynamic session...
How can $_SESSION be stolen ..... the main way a $_SESSION can be stolen is by being on shared Hosting by accessing the /tmp folder which is used by everyone... there is a few other methods that a hacker can use to impersonate a session
which is why it would be a good idea to use a Dynamic session and then store old sessions .... and log both users out if an old session is used. (log both out because the REAL USER might send the old session id and not the hacker)
Im going to stop here with this post as otherwise my post is going to be to long and people wont read it ... but i could keep going lol
if is number for example $id i use to check it as is_numeric($id) is there something wrong on that .. regarding security ? 
Comment