phpsecuresite-devel

[phpSecureSite-devel] Sessions?

[Woolhiser, E. <Eri...@bm...>]

> -----Original Message-----
> From: Erik Grinaker 
> Sent: Tuesday, January 01, 2002 15:07
> To: Woolhiser, Eric
>
> Yep, this is also the kind of scenario I'm designing the project for.
> Large companies etc building a secure wep-app probably have developers
> who are more than capable of handling the task themselves. 
> What I'd like
> phpSecureSite to be is a quick and easy way for your average Joe Q.
> Webmaster to add *secure* authentication and session-handling to their
> webapp. Although I've seen all too many "professionally" made webapps
> with a terrible, terrible, terrible security-scheme - which is why I
> don't use php's session() family of functions, and rely on a
> built-from-scratch session handling scheme, so that it can be easily
> integrated into more complex applications, and fine-tuned to 
> perfection.
> 
> As the system is today all you need is rw-access to the 
> filesystem (via
> ftp or whatever) and full access to a mysql database.
>

OK, I gota ask, what do you think is wrong with using the session functions?
If you are going to support sessions but not use the embedded functions, it
sounds like you wish to re-invent the wheel here. 
Wouldn't phpSecureSite be more likely to thrive as an open source project if
the code used the standard tool sets?

Re: [phpSecureSite-devel] Sessions?

[Erik G. <er...@ch...>]

On Wed, 2002-01-02 at 17:53, Woolhiser, Eric wrote:

> OK, I gota ask, what do you think is wrong with using the session functio=
ns?
> If you are going to support sessions but not use the embedded functions, =
it
> sounds like you wish to re-invent the wheel here.=20
> Wouldn't phpSecureSite be more likely to thrive as an open source project=
 if
> the code used the standard tool sets?

Ah, glad you asked :)

I'm gonna give a quite lengthy explanation of this in the docs, but I'll
try to give a (somwehat) boiled-down explanation here;

The main reason for not using the session()-family is because I find it
to be lacking the flexibility I need for my apps - both with regard to
security, and functionality. And underlying my reasoning for this is
that I find that having a clean, consistent and smart database, and then
writing dumb code for it, makes the system smaller, more expandable,
cleaner and easier to understand.

In fact, the whole reason for this project is that I found the
session()-family to be lacking, and I'm therefore writing an alternative
to php's session-handling system.

Here are some of the reasons why I find the php built-in session
handling to be insufficient :

I want the whole system to be based on a database (as opposed to the
server's memory), so it's possible to attach log entries to sessions,
which in turn are attached to accounts. As the project progresses I
might also be able to add tracking functionality, allowing the site
admin to generate statistics based on session activity.

I have already added support for IP checking, to prevent session
hijacking. This requires that alot of the session data is already stored
in a database, so I didn't see any reason not to base the whole system
on databases, instead of using a merger of php's session()-family and my
own system.

I believe that sessions wasn't introduced to php before version 4, so
those who use php3 should be able to get session-handling through my
system (although this has not been verified).

And I'm also quite the control-freak, and like to have close to absolute
power over my scripts. :) To modify the way the php session system
works, you need to modify the php C sources, while my system relies on
rather low-level php functions, making it easier to modify.

Of course this has its backsides. Since my system relies 100% on
databases for data storage it will require a bit more resources and a
fast i/o subsystem (depending on the number of concurrent users), but I
think this is an acceptable tradeoff for the (coming) functionality and
security.

In addition, the php session system allows for session based on POST/GET
vars and other methods of preserving data. This should not be a problem
to include in phpSecureSite, but until then the system requires the use
of cookies.


If you, or anyone else, have any thoughs on this, please let me know.
Suggestions are always more than welcome.


--=20

Erik Grinaker
UNIX/Linux systems consultant
Elan IT Resource - www.elanit.no

"Perfection is acheived not when there is nothing more to add, but
rather when there is nothing more to take away"
- Antoine de Saint-Exup=E9ry