StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

PO
primarykey
Id
2144433
data
AcceptedAnswerId
0
AnswerCount
0
ClosedDate
CommentCount
0
CommunityOwnedDate
CreationDate
2010-01-27T03:46:03.980
FavoriteCount
0
LastActivityDate
2010-01-27T03:46:03.980
LastEditDate
2017-05-23T12:23:59.453
LastEditorUserId
-1
OwnerUserId
26210
ParentId
2144429
PostTypeId
2
Score
16
ViewCount
0
LastEditorDisplayName
text
Body
Note: Taken from <a href="https://stackoverflow.com/questions/1221447/what-do-i-need-to-store-in-the-php-session-when-user-logged-in/1225668#1225668">my previous answer</a>. <h1>Terminology</h1> <ul> <li>User: A visitor.</li> <li>Client: A particular web-capable software installed on a particular machine.</li> </ul> <hr> <h1>Understanding Sessions</h1> In order to understand how to make your session secure, you must first understand how sessions work. Let's see this piece of code: <pre><code>session_start(); </code></pre> As soon as you call that, PHP will look for a cookie called <code>PHPSESSID</code> (by default). If it is not found, it will create one: <pre><code>PHPSESSID=h8p6eoh3djplmnum2f696e4vq3 </code></pre> If it is found, it takes the value of <code>PHPSESSID</code> and then loads the corresponding session. That value is called a <code>session_id</code>. That is the only thing the client will know. Whatever you add into the session variable stays on the server, and is never transfered to the client. That variable doesn't change if you change the content of <code>$_SESSION</code>. It always stays the same until you destroy it or it times out. Therefore, it is useless to try to obfuscate the contents of <code>$_SESSION</code> by hashing it or by other means as the client never receives or sends that information. Then, in the case of a new session, you will set the variables: <pre><code>$_SESSION['user'] = 'someuser'; </code></pre> The client will never see that information. <hr> <h1>The Problem</h1> A security issue may arise when a malicious user steals the <code>session_id</code> of an other user. Without some kind of check, he will then be free to impersonate that user. We need to find a way to uniquely identify the client (not the user). One strategy (the most effective) involves checking if the IP of the client who started the session is the same as the IP of the person using the session. <pre><code>if(logging_in()) { $_SESSION['user'] = 'someuser'; $_SESSION['ip'] = $_SERVER['REMOTE_ADDR']; } // The Check on subsequent load if($_SESSION['ip'] != $_SERVER['REMOTE_ADDR']) { die('Session MAY have been hijacked'); } </code></pre> The problem with that strategy is that if a client uses a load-balancer, or (on long duration session) the user has a dynamic IP, it will trigger a false alert. Another strategy involves checking the user-agent of the client: <pre><code>if(logging_in()) { $_SESSION['user'] = 'someuser'; $_SESSION['agent'] = $_SERVER['HTTP_USER_AGENT']; } // The Check on subsequent load if($_SESSION['agent'] != $_SERVER['HTTP_USER_AGENT']) { die('Session MAY have been hijacked'); } </code></pre> The downside of that strategy is that if the client upgrades it's browser or installs an addon (some adds to the user-agent), the user-agent string will change and it will trigger a false alert. Another strategy is to rotate the <code>session_id</code> on each 5 requests. That way, the <code>session_id</code> theoretically doesn't stay long enough to be hijacked. <pre><code>if(logging_in()) { $_SESSION['user'] = 'someuser'; $_SESSION['count'] = 5; } // The Check on subsequent load if(($_SESSION['count'] -= 1) == 0) { session_regenerate_id(); $_SESSION['count'] = 5; } </code></pre> You may combine each of these strategies as you wish, but you will also combine the downsides. Unfortunately, no solution is fool-proof. If your <code>session_id</code> is compromised, you are pretty much done for. The above strategies are just stop-gap measures.
Tags
Title
singulars
PostAcceptedAnswerId
1. This table or related slice is empty.
PostParentId
1. POwhat is the efficient way to secure a session variable in php?
 singulars
 PostTypePostTypeId
 PTQuestion
PostTypePostTypeId
1. PTAnswer
UserLastEditorUserId
1. USCommunity
UserOwnerUserId
1. USAndrew Moore
plurals
PostLinksPostIdRelatedPostId
1. This table or related slice is empty.
PostLinksRelatedPostIdPostId
1. This table or related slice is empty.
PostsAcceptedAnswerId
1. POwhat is the efficient way to secure a session variable in php?
 singulars
 PostTypePostTypeId
 PTQuestion
PostsParentIdCreationDate
1. This table or related slice is empty.
VotesPostIdCreationDate
1. VO
 singulars
 PostPostId
 PO
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTUpMod
2. VO
 singulars
 PostPostId
 PO
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTUpMod
3. VO
 singulars
 PostPostId
 PO
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTUpMod
CommentsPostId
1. This table or related slice is empty.

Querying!

Guidance

A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.