I have a Symfony application which use a mysql database to store session data, and uses the SfGuard plugin to manage the authentication.
Despite that symfony allways save the authentication info in a cookie. Is there anyway i can disable cookies and store the authentication info in the database or in memory?
I might need in the future, to have a kind of single sign on feature, where the authentication state will persist between multiple applications, in different domains. Thats why I mostly want to eliminate the need to use cookies.
Thank you for your help.
You do not seem to understand how sessions work.
That cookie that gets sent to the cient is called the session id, and it's unique to the visitor. When he reqests a page from the server that cookie identifies the row in your session table where his data are - no data besides the ID is ever sent to the client.
Without that ID there's no way to pair a request to session data, that's why you could not log in anymore after disabling the cookies. The alternative to the cookie is to pass the session id some other way, like in the url - php can do that automatically, you just need to enable use_trans_sid in the php.ini.
Yes, you can store the authentication info in the database : See here how.
Related
I have disabled cookies for my website and get TokenMismatchException. Since I am using sessions file driver and in my form I have {{ csrf_field() }} why do I get TokenMismatchException when I disable cookies for my website ?
If I inspect the call that was made I can see that the token was sent in post : token J0Y0t2hj3jjVFMdGCch0apliPqlz1lZlwUc0VqCk
why do I get TokenMismatchException when I disable cookies for my website?
Because the CSRF token value in the form needs to be compared to (the) one stored in the session.
If your session is not working without cookies, then of course this will fail.
So decide whether you want to demand cookies for your app to work, or if you want to use less secure ways of transporting the session id (GET/POST – how to configure that within your framework, should be in its documentation.)
check your config file(config/session.php) and see if your session driver is cookie. If yes, then change that to something else.
here is the notes: Laravel's HTTP Session
file - sessions are stored in storage/framework/sessions.
cookie - sessions are stored in secure, encrypted cookies.
database - sessions are stored in a relational database.
memcached / redis - sessions are stored in one of these fast, cache based stores.
array - sessions are stored in a PHP array and will not be persisted.
I'm using nocache headers to tell a Content Delivery Network (CDN) to not cache the page, but every page request generates a new ColdFusion session ID. So I cannot persist session variables!
If I bypass the CDN, the session is unique per browser on my machine - and will work as normal.
I want to see if the CDN company can do anything to help this situation, but I can't find out how ColdFusion decides to create a new session ID. I suspect the CDN is generating something unique each time, but don't know what.
Any thoughts?
Thanks
ColdFusion writes a CFTOKEN and CFID cookie (or poss a JSESSIONID one, depending on your session setings). Those identify your sessions.
Here is the situation, I have setup 2 codeigniter installation.
One will be a client and one will be an api. Further improvement of this will be
The client will no longer be made from CI, since I wasn't using it's functionality. I just wanted to start out from a mvc framework right on.
My question would be where should I be storing sessions? during logins.
Below is how I did it, but I think I did it wrong.
I created a Login from the client. This one sends the login credentials to the api and then validated these information sent by the client and will return a message/response whethere the login credentials were valid or not.
If the login details were valid, the api will set a session in it's controller like this
if(true) {
$this->session->set_userdata($array);
}
This is in the login_controller I created. Is this the proper way of setting sessions for a client of a api?
You've got the concept right. You only want to set session userdata upon verifying the user supplied valid credentials.
That said, make sure you're using encrypted cookies and, if you're handling sensitive data, store your session data in the database. Storing it in the database causes some odd quirks with how sessions work in CodeIgniter (mainly with flashdata), but the added benefit of positive identification might potentially be worth it.
By storing the session data in the database, you can more positively verify a user is who they claim to be (in terms of the session ID, etc). The reason is because the session data is stored only in the database, and not in the session cookie (which only holds session ID and some other info). That way, even if someone does manage to decrypt the cookie, they can't modify their userdata to pretend to be someone else, like you might be able to with the cookies only method.
How can I increase the security of my sessions?
$this->session->userdata('userid')
I've been throwing this little bad boy around for my ajax calls. Some cases I haven't. Then I was like, is this really secure using id from the DOM? what if the DOM is changed to hack user accounts data? So then I was like I guess anytime a user is doing something relating to their id, only sessions should be referenced. Am I right?
Referenced like so:
$this->some_model->do_data_stuff($dataId, $this->session->userdata('userid'));
Then I read this:
While the session data array stored in the user's cookie contains a
Session ID, unless you store session data in a database there is no
way to validate it. For some applications that require little or no
security, session ID validation may not be needed, but if your
application requires security, validation is mandatory. Otherwise, an
old session could be restored by a user modifying their cookies.
http://codeigniter.com/user_guide/libraries/sessions.html
I'm not going to be storing financial data but I don't want any data on my site corrupted ever. Does SO use session validation? How much overhead will this validation cost? How would a session be hacked? What are some things to look out for with session security?
Using CodeIgniter sessions with database is going to be fairly secure. You just don't have to trust the input that the user gives. Even if you are using AJAX, the CodeIgniter session will work just like any standard call, so the same security goes on.
What happens with the CodeIgniter session is that the server stores the cookie, and every time the user does an action that would change the content of the cookie, it is first compared to the previous cookie.
If the user changes the content of the session cookie in the browser, CodeIgniter will notice on the next server call, and create a new session for the user, basically logging him out.
CodeIgniter doesn't really need the data stored in the cookie in the user's browser, and as long as you're using
$this->session->userdata('userid');
you're going to get trusted server-side data. The user can't change that. Furthermore, the cookie can be encrypted, and you should have it encrypted. Just look in config.php of CodeIgniter.
There are several other protections around the session data: the short refresh timeout (usually 300 seconds), it checks if the IP changed, and if the browser changed. In other words, in the worst case scenario, the only way to spoof the session data is by having the same version of the browser, having the same IP, getting direct access to the computer to copy/paste the cookie, and getting this done within 5 minutes.
So, watch out for the guy sitting beside you!
Which is the difference between sessions and cookies. I know that sessions are server side, and managed by the server, and the cookies are client side and managed by the browser.
I don't know why, but I see those things as rendundant. Which data have to be keept in a session variable and which on cookies?
Session is implemented with cookies. You would normally save in a cookie things like the user id, or some identifier that will allow you to know who the user is, and use that information as a key for your session variable on the server side.
Most importantly, you wouldn't want any secret information being stored on the client side, since cookies can easily be stolen (from a security point of view).
Don't forget that HTTP is stateless, so cookies are just a way to bypass this.
In short, cookies are more persistent than sessions. As soon as you close your browser, the session information is gone. Therefore a session has no way to store information about a website/user pair. Cookies do, and are used for things like allowing you to stay logged in to a website, or storing preferences for that website (e.g. language).
The main difference between cookies and sessions is that cookies are stored in the user's browser, and sessions are not. This difference determines what each is best used for.
see http://php.about.com/od/learnphp/qt/session_cookie.htm
Cookies are for small data. They can only hold strings.
In session variables you're able to store objects in the server memory.