Ch 12 - Preventing Session Fixation

[squeek]

I created the login page in chapter 12 and was thinking what if this page was successfully logged in on a public computer and the user didn't log out.  Then another person comes along and accesses the login page and successfully logs in.  They are now sharing the same session id.  I saw the Preventing Session Fixation box and put session_regeneration_id() code in the logged_in.php page after the session check and functions includes.  I successfully logged in as two different users using the same  same computer and same browser (Firefox) and the two users had the same session id.  Am I missing something? THANK YOU!

[HartleySan]

Hello, and welcome to the forums.

 

Public computers can be tricky, but at the end of the day, if a user isn't smart enough to log out of a site on a public computer, then there isn't much you can do. That really is their fault, not yours.

With that said, there are things you can do to help protect users from their own stupidity.

 

To answer your question first though, the fact that two users on the same computer had the same session ID is the default behavior and is to be expected. The important thing to know is that the session ID is nothing more than a unique string that points to a file on the server that contains the actual session info. Whenever you initiate a session from a server-side PHP script, a cookie is sent to the user's computer with the session name and session ID. This information is used to retrieve anything stored in the session when any user on that computer returns to the website.

 

To emphasize that last point, if two people go to the same website from the same computer, the server hosting the site doesn't know that two different people went to the site. All the server knows is that there is a cookie on a single client machine that references an active session on the server. As such, the server will indiscriminately use the same session ID to retrieve the information. The only time the session ID is changed is when you force the ID to be regenerated or when you destroy the session, which effectively deletes the file containing the session info on the server.

 

As such, you observation and understanding are correct, and there isn't any inherent risk in two distinct people having the same session ID for a site on a single computer aside from the obvious problem that the second user would have the first user's access to a particular site.

 

One of the best things you can do to "help" users that forget to log out on a publicly accessible computer is to set a timeout of 10 minutes or whatever so that if an active session isn't used for 10 minutes or more, the session is destroyed, thus making it impossible for anyone else to use the site with someone else's credentials after that 10 minutes has passed.

 

It's not a foolproof solution, but it is a good way to stop most session hijacking of that nature without annoying most users that are properly using your site.

 

Does that all make sense?