Session Userdata security

[eluser]patrickod[/eluser]
I am writing an application at the moment that keeps the username in a session variable and uses it throughout the application as the unique identifier for the user. The thing I am worried about is the potential for a malicious user to edit the userdata variable which would allow them to gain access to other things not relating to their account.


Is this something I should be worried about or are there ways of preventing such an attack from happening?


Thanks in advance,

Patrick

[eluser]Wuushu[/eluser]
Are you using cookie or database based session data? If it's in the database i don't think (unless you leave it open to) it's possible to change directly, unless you hijack someone else's session id. But in the case of that you can also enable user agent and user ip matching...

[eluser]pistolPete[/eluser]
Use cookie encryption:

Code:

$config['sess_encrypt_cookie'] = TRUE;

user_guide/libraries/sessions.html

If you have the encryption option enabled, the serialized array will be encrypted before being stored in the cookie, making the data highly secure and impervious to being read or altered by someone.

[eluser]patrickod[/eluser]
[quote author="pistolPete" date="1244646691"]Use cookie encryption:

Code:

$config['sess_encrypt_cookie'] = TRUE;

user_guide/libraries/sessions.html

If you have the encryption option enabled, the serialized array will be encrypted before being stored in the cookie, making the data highly secure and impervious to being read or altered by someone.

[/quote]

Does this incread load times by a noticeable factor? if its not that slow I'll definitely use it. Thanks

[eluser]Dam1an[/eluser]
I've never noticed any added delay with encrypted cookies (and this is with the profiler, although it's hard to get a definite answer, as load time varies with each request)

[eluser]TheFuzzy0ne[/eluser]
I created a 2KB string (as cookies can only hold 4KB and encryption creates a larger end string), using this function:

Code:

function get_2kb()
{
    $chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'
            .'abcdefghijklmnopqrstovqxyz'
            .'0123456789';

    $str = '';
    for ($i = 0; $i < 2000; $i++)
    {
        $str .= substr($chars, rand(0, strlen($chars) -1), 1);
    }

    return $str;
}

This was my test controller:

Code:

<?php

class Test extends Controller
{
  
    function index($where=array(), $limit=25, $offset=0)
    {
        $str = 'hO5qvNsyqc1dG9t63HSAsAPq...'; # truncated

        $this->load->library('benchmark');
        for ($i=0; $i < 10; $i++)
        {
            $this->benchmark->mark('start');
            $this->session->set_userdata('str', $str);
            $this->benchmark->mark('end');
            
            $results[] = $this->benchmark->elapsed_time('start', 'end');
        }
        
        die('<pre>'.print_r($results, TRUE).'</pre>');
    }
}

/* End of file test.php */
/* Location: ./system/application/controllers/test.php */

Here are the results:

Without encryption:

Code:

Array
(
    [0] => 0.0002
    [1] => 0.0002
    [2] => 0.0001
    [3] => 0.0001
    [4] => 0.0001
    [5] => 0.0001
    [6] => 0.0001
    [7] => 0.0001
    [8] => 0.0001
    [9] => 0.0001
)

With encryption:

Code:

Array
(
    [0] => 0.0418
    [1] => 0.0424
    [2] => 0.0417
    [3] => 0.0431
    [4] => 0.0428
    [5] => 0.0428
    [6] => 0.0419
    [7] => 0.0427
    [8] => 0.0426
    [9] => 0.0428
)

Probably not the most scientific benchmarking test in the world, but I think it does show a pattern. Yes, it's computationally more expensive to encrypt cookies, but we're talking less than half a tenth of a second. In my mind, that's a small price to pay for security. Also, bear in mind that you'll rarely be storing 2KB of data in a cookie - if ever.

My server specs are:
2.4GHz Athlon
128MB RAM

[eluser]Dam1an[/eluser]
I should mention I was using the database for storing session data, so I only encrypted a few bytes worth of data, hence me not noticing the increase, although as Fuzzy said, even if you're not using the database, this is a small price to pay for security

[eluser]patrickod[/eluser]
If I can prevent people impersonating others using modified session info then I'm fine with encryption and database use for sessions. Thanks for the info. I appreciate it, that and the fast reply

Patrick

[eluser]TheFuzzy0ne[/eluser]
I've been struggling trying to understand the point of database sessions. As soon as I realised that the data is stored in the cookie anyway, and that you can't store more data in the database than you can in the cookie, I decided not to use database sessions any more.

Granted, there's a little bit of added security that checks to see if the data has been modified at all, but if it's encrypted, modifying it will probably break the cookie anyway. I've come to the conclusion that using database sessions is only useful for unencrypted cookies, where a user can easily modify the data.

EDIT: Hmmm... Perhaps this is too off-topic for this thread and should be in it's own thread?

[eluser]Dam1an[/eluser]
[quote author="TheFuzzy0ne" date="1244649918"]and that you can't store more data in the database than you can in the cookie[/quote]

Em... what?!?
I've managed to go over the limit with cookies but not the database :-S