passing passwords in GET mode 4

[RobBroekhuis]

I'm very new at this, so the answer is probably obvious... I have just developed a small PHP application which asks the user for username/password upon entering, and then passes this information along when moving between page requests. This is fine when the transitions use forms and the POST method, but in several cases I use links of the url?var=value (i.e., GET) kind, and in that case the password shows up in the url bar. What is the best way to avoid this? Is there a generally accepted way of dealing with user authentication/passwords that I can look up somewhere?
Thanks much


Rob

 

[xhtml101]

The best way is to use SESSION.

This a server-side vars and are never displayed on the client site. Check this doc:

http://ca.php.net/session

Hope this help!

Sincerely,

Dan Grant
Lead programmer
dan at abusinesshosting dot com

http://www.abusinesshosting.com

 

[hos2]

or encrypt it with md5 function

 

[RobBroekhuis]

Thank you both for your contributions. I've read up on both topics, and haven't decided yet how to proceed. The php site description really leaves out too much for a newbie like me to be able to latch in and run with. Are you aware of any good, simple examples of scripts using session management?


Rob

 

[sleipnir214]

Actually, I would use both sessions and hashing of the userid and password using md5.

But sessions are actually deceptively easy -- PHP does all the hard work for you automagically. A good place to start with sessions is the example code on the manual page for session_start():

http://www.php.net/manual/en/function.session-start.php

Want the best answers? Ask the best questions:

http://www.catb.org/~esr/faqs/smart-questions.html

TANSTAAFL!!

 

[RobBroekhuis]

Looks easy enough, and I can see readily how it works propagated through a URL. Now how would I go about doing it using a form post? Can I use a hidden input field to propagate the sessionID, or would I put the sessionID in the action= url with something like

'<form method=&quot;POST&quot; action=&quot;registry.php?&quot;'.SID.'>'



Rob

 

[esromneb]

I would suggest using a hidden form variable. I too just started using sessions. I found these two tutorials to be VERY helpful. The first basically sets up everything for you. The second is less helpful, but make sure you read it and look for the ie6 fix.

http://www.devarticles.com/c/a/MySQL/Security_and_Sessions_in_PHP/

http://www.phpfreaks.com/tutorials/41/2.php

Hope that helps.

 

[RobBroekhuis]

Now I'm confused. Some of what I've read suggests that I have to propagate the session ID in links, while the tutorial at phpfreaks.com referenced right above doesn't do any of that. What gives?


Rob

 

[sleipnir214]

It is not necessary to propogate session IDs in links. In fact, it's not recommended. The PHP online manual states:

URL based session management has additional security risks compared to cookie based session management. Users may send an URL that contains an active session ID to their friends by email or users may save an URL that contains a session ID to their bookmarks and access your site with the same session ID always, for example.

Want the best answers? Ask the best questions:

http://www.catb.org/~esr/faqs/smart-questions.html

TANSTAAFL!!

 

[RobBroekhuis]

I understand that one way to deal with sessions is via cookies. But the tutorial referenced above doesn't do anything with cookies or URL propagation (only a session_start at the beginning of the page). Is there a third way, or are cookies automatically generated in some cases?


Rob

 

[sleipnir214]

If the php.ini runtime configuration directive &quot;session.use_trans_sid&quot; is set to &quot;1&quot; or &quot;yes&quot;, then PHP will automagically edit HTML tags during output to propogate session ids.

Otherwise, it will use cookies. This is the default behavior.

But issuing session_start() is all you have to do. When a script invokes session_start(), if a session cookie has not been set, PHP sends one. Otherwise it uses the value of the session cookie the browser sent when it connected. All of the nitty-gritty details of cookie-setting, etc, are handled by PHP for you.

Want the best answers? Ask the best questions:

http://www.catb.org/~esr/faqs/smart-questions.html

TANSTAAFL!!

 

[shaddow]

I have to add something about sending data even encripted using GET.

This is not safe either, if somone can get all the GET parameters can still find out what was there since they can read out the MD5 cripted code. I knw that MD5 it's one way but still same password as far as i knw gives same MD5 cripted code so, there for it's not needed to try passwords to the site just generate passwords till the MD5 cripted code looks same.

Anyway what i was saying is that sending critical data using GET or hidden form fields shouldnt be avoided. Best solution still remains Session or Database storage.

________
George, M

 

[ingresman]

Sorry to join so late..

Think of the session as a way to remember stuff from page to page.
The session_start() does the hard work, all you have to do is put your values in $_SESSION e.g. $_SESSION['password'] = &quot;fred&quot; to get it out just use $pass = $_SESSION['password'].

The underlying way sessions are held in within flat files in the server file system. You can register your own versions of the session functions to write to a database of your choice which gives you the advantage of PHP doing all the heavy lifting for you.

Fianlly you could just use the session id php generates for you ($SID i think, or $id=session_start() and just use that as a key to any database tables (or files) of your chossing.

hope this helps !

 

[RobBroekhuis]

Thank you all for your helpful input. I will investigate the settings on my server, and play around a bit to see if I can get it to work. I have one more question: if I don't personally propagate the session ID, when does the session get terminated? When I go to my app from my PC, log in, and do some stuff, then go do something else in IE and yield the PC to another user, if the other user goes to my app, will he be logged in as me? I know I can explicitly kill a session, but what if there is no explicit logout undertaken?


Rob

 

[shaddow]

Sometimes the session it will timeout, Web server usually knws when an browser client(SessionID) closes it's connection or if not it will check the last time when the client accessed a page and if this time gets over the session timeout(usualy 15 mins) it's deletes his session id.
On apache session id's are stored in some temporary file, and deleted after.

Session clearing it's trigered when.
1. user closes it's browser window
2. session expire(more then session timeout minutes of inactivity)
3. session it's manually destroied.

There is no way of using same session for 2 web clients. Unless you forget to close or log out your session(web browser).

________
George, M

 

[ingresman]

On windows, I find that the session files never get deleted so I have to do it manually. Some parameters exist to set probability of deletion etc etc (havn't read it in depth). It's also a good reason to put the data into the DB instead and get rid of them with a quick delete. The core php book has an axanlpe of settign your pwn functions fr session and I think the zend site has one as well.

 

[shaddow]

On the Apache server it's deleted unless i close the Apache server before session it cleans itself.

________
George, M

 

[RobBroekhuis]

I just checked the php settings, and indeed my use_trans_sid is set to 1. Also, I previously noticed my register_globals is set to true. It sounds like both of those are counter to current defaults. I assume that since I'm on a shared server, I have no choice in the php settings. Is any of this likely to get me in trouble down the road?


Rob

 

[hos2]

normally you can override you're settings in the beginning of the script

ini_alter("session.use_trans_sid",0);

 

[shaddow]

As far as i knw, you wont need to pass SID to the link, just use session_start() and session_register(), also register_globals, should be able to let you access the variable using his declaration name
session_start();
session_register(&quot;test&quot;
$test=&quot;somevalue&quot;;

________
George, M