php cookies, sessions and authentication
DESCRIPTION
Do you know the difference between the PHP config directives session.gc_maxlifetime and session.cookie_lifetime? Have you wrestled with implementing a “Remember Me” button on your login page? Learn how popular sites, such as Twitter and Facebook, keep you logged in (apparently) forever and the security risks of such methods. http://github.com/hellogerard/tek11TRANSCRIPT
(PHP) Sessions, (PHP) Sessions, Cookies, & Cookies, &
AuthenticationAuthenticationGerard SychayGerard Sychay
#tek11#tek11
05/26/201105/26/2011
Gerard Gerard Sychay.Sychay.
Zipscenemobile.cZipscenemobile.comom
Cincy Cincy CoworksCoworks
Introduction0.
0. Introduction
This is HenryThis is Henry
Introduction0.baby
Introduction0.1.1. SessionsSessions2.2. AuthenticationAuthentication3.3. Keep Me Keep Me Logged InLogged In
4.4. SecuritySecurity
Sessions1.1. initial request1. initial request
2. create new 2. create new session IDsession ID
3. create session file3. create session filenamed with IDnamed with ID
4. store ID in 4. store ID in ‘ ‘PHPSESSID’ cookiePHPSESSID’ cookie
Sessions1.
2. find file with name2. find file with name matching session IDmatching session ID
3. read session data3. read session data from session filefrom session file
1.1. read session ID from read session ID from PHPSESSID cookiePHPSESSID cookie
4. respond using 4. respond using session datasession data
Sessions1.
Authentication2.Sessions… what are they good for?Sessions… what are they good for?
// set a flag// set a flag$_SESSION[‘authenticated’] = true;$_SESSION[‘authenticated’] = true;$_SESSION[‘loggedIn’] = true; $_SESSION[‘loggedIn’] = true;
// save something useful// save something useful$_SESSION[‘userId’] = 123;$_SESSION[‘userId’] = 123;$_SESSION[‘userName’] = ‘jsmith’;$_SESSION[‘userName’] = ‘jsmith’;
Authentication2.
Authentication2.
Authentication2.
““You know that thing You know that thing that they have?”that they have?”
Specifies the lifetime of the Specifies the lifetime of the cookie in seconds which is sent cookie in seconds which is sent to the browser. The value 0 to the browser. The value 0 means “until the browser is means “until the browser is
closed.” Defaults to 0.closed.” Defaults to 0.
Authentication2.session.cookie_lifetimesession.cookie_lifetime
Specifies the number of Specifies the number of seconds after which data will seconds after which data will be seen as ‘garbage’ and be seen as ‘garbage’ and potentially cleaned up. potentially cleaned up. Garbage collection may occur Garbage collection may occur during session start. Defaults to during session start. Defaults to
1440 seconds.1440 seconds.
Authentication2.session.gc_maxlifetimesession.gc_maxlifetime
Authentication2.// 24h// 24h session.cookie_lifetime = 86400; session.cookie_lifetime = 86400;
// 24h// 24h session.gc_maxlifetime = 86400; session.gc_maxlifetime = 86400;
Authentication2.
Authentication2.session.cookie_lifetimesession.cookie_lifetime
AbsoluteAbsolute expiration time expiration time
session.gc_maxlifetimesession.gc_maxlifetime
Maximum Maximum idleidle time time
Authentication2.session.cookie_lifetime = 0; session.cookie_lifetime = 0; // default// defaultsession.gc_maxlifetime = 1440; session.gc_maxlifetime = 1440; // default// default
ExampleExample
Henry:Henry:Never closes his browserNever closes his browserRequests pages every 20 minutes Requests pages every 20 minutes or so.or so.Stays logged in!Stays logged in!
Authentication2.session.cookie_lifetime = 0; session.cookie_lifetime = 0; // default// defaultsession.gc_maxlifetime = 1440; session.gc_maxlifetime = 1440; // default// default
ExampleExample
Henry:Henry:Leaves his browser open Leaves his browser open Takes a 30 min. snack breakTakes a 30 min. snack breakSession garbage collected – logged Session garbage collected – logged out!out!
Authentication2.session.cookie_lifetime = session.cookie_lifetime = 3600;3600; // 1 hr // 1 hrsession.gc_maxlifetime = 1440; session.gc_maxlifetime = 1440; // default// default
ExampleExample
Henry:Henry:Leaves his browser open Leaves his browser open Takes a 30 min. snack breakTakes a 30 min. snack breakSession garbage collected – logged Session garbage collected – logged out!out!
Authentication2.session.cookie_lifetime = session.cookie_lifetime = 3600;3600; // 1 hr // 1 hrsession.gc_maxlifetime = session.gc_maxlifetime = 3600; 3600; // 1 hr// 1 hr
ExampleExample
Henry:Henry:Leaves his browser open Leaves his browser open Takes a 45 min. snack breakTakes a 45 min. snack breakWorks for 30 mins.Works for 30 mins.Session cookie expires – logged Session cookie expires – logged out!out!
Authentication2.Oh yeah, what was I trying to Oh yeah, what was I trying to
do?do?
Authentication2.
Keep Me Logged In3.
do?do?
What wouldWhat would
Keep Me Logged In3.1. initial login1. initial login
4. store auth token4. store auth token in ‘my_auth’ cookiein ‘my_auth’ cookie
3. store user’s unique 3. store user’s unique auth token in DBauth token in DB
2. create new auth 2. create new auth token for usertoken for user
Keep Me Logged In3.1. read auth token 1. read auth token from ‘my_auth’cookiefrom ‘my_auth’cookie
2. lookup auth 2. lookup auth token in DBtoken in DB
4. Store new session ID 4. Store new session ID and auth token in and auth token in cookiescookies
3. if valid token, 3. if valid token, log user inlog user in
Keep Me Logged In3.
What about security?What about security?
Security4.
Security4.
Security4.
FiresheepFiresheep
Security4.
Security4.I CAN HAZ SSL?I CAN HAZ SSL?
Security4.Re-authenticate!Re-authenticate!
4. Security
Thanks!5.
@hellogerard@hellogerard
http://straylightrun.nethttp://straylightrun.nethttp://github.com/hellogerard/tek11http://github.com/hellogerard/tek11
© 2011. Some rights reserved.© 2011. Some rights reserved.
Enjoy the wi-fi!Enjoy the wi-fi!