User sessions, what data should be stored where?
This article has been updated. For the old version please check Archive.org
A couple of days ago on reddit.com's /r/netsec a poster by the name of Dan Weber posted what he believed to be an attack on PHP sessions: Hacking PHP sessions by running out of memory (reddit link). The way the "attack" works is as follows:
- Create a new session
- Assign some new data to the session, in this case a username which is used to signify that the user is logged in.
- Check to verify that the user should be logged in
- If the user should not be logged in, destroy the session.
The "attack" would be to run the PHP script out of memory on number 3, since once something is set on the session it is immediately stored, so even if the user is not supposed to be logged in, they are now logged in since their session says they are.
I wouldn't necessarily call this a PHP hack, this is really just bad practice in terms of programming, the logic should be reversed.
- Create a new session
- Verify the user should be logged in
- If so, set the session data
- If the user should not be logged in, don't set the session data
That would solve the problem at hand, and now there is no way for the user to trick the PHP script into believing she is logged in when that is not the case.
However as the discussion went on on Reddit, it became even more clear that there are no good resources on what you should store in the user session, and what you shouldn't store in the user session. Some of these things may seem like common knowledge, but sadly this is something every single new person to programming has to learn on their own.
Some assumptions
Let's get this out of the way, this is in no way limited to PHP, but it is the one I will be using as an example. This can all apply to Ruby (Ruby on Rails), Python (Pyramid) or many other frameworks.
The basic problem is that generally writing to the session is not an atomic transaction based on the page accessed, so the assumption made in this article is that when you write to the session it is instantly committed, and there is no way to roll it back upon failure. If there was, our first example listed wouldn't be able to occur since upon running out of memory at step 3, the session would have been rolled back and cleaned up.
What should you store in the users session?
You should only really store anything in the session that if it were made public it would do very little harm.
Really the list of items to be stored in a session are as follows:
- The users unique id (The ID that allows you to retrieve the users information from storage)
- Temporary state (i.e. Flash messages)
- CSRF token
More importantly, don't store permission bits, or group memberships, or anything that is used to allow/deny access to particular resources. You want to store just enough information that upon a user accessing your site you are able to retrieve the users information from storage, and based upon that information from storage you then make decisions such as permissions/group memberships.
Why is this important?
One of the things that Dan Weber brought up in the Reddit post was storing the users permission level and group membership in the session. If your code is then relying on the session to always contain the right permission level, then there is no way to expire someones access to the data.
- A user logs in
- A user gets various permissions, and they are set in the session
- The user has been fired from his job, and an administrator removes the users permissions
- Since the user is still logged in, the users permission bits are still set, and he continues to have access to parts of the site/information he shouldn't have access to.
If instead on every page visit we simply pull out the users unique id and verify the permissions upon access, as soon as the permissions are revoked by the administrator the user no longer has access to the various resources.
Temporary state
There has to be an easy way to remember something from page visit to page visit that isn't considered detrimental if the information gets lost. One of those things is flash messages. Flash messages are generally used to provide the user indication that something has changed, they are shown once and then never again.
Storing these as session data makes sense. If the flash message gets set, great, if it doesn't get set, it doesn't matter. Flash messages are simply a notification tool, if the user misses them it isn't important.
What you shouldn't store in the session
Definitely don't store any kind of permission bits, groups a user is a part of or anything that would allow the user access that they normally would not be able to access.
On each page access check what permissions the user has. While it may mean a little more heavy lifting server side it provides extra security, and the means to enforce changes in permissions instantly.
Good secure programming practices
Keep secure programming practices in mind at all times, always consider how the information you are storing/processing is accessed/viewed/administered. More importantly think about the access controls that are in place, and how one could expire access to a particular resource without requiring a co-operative client.
The ordering of how variables are set, and when they are set are very
important. $_SESSION['isadmin'] = True
at the top of a PHP script, and then
removing it by checking to see if the user is actually an administrator later
on in the script is a bad idea.
Always order your code so that if a failure does occur there is no chance that a critical section of your code is executed by accident, or that information is stored in a half-verified state. This is especially important for access control.