What is a secure way to store and retrieve session data in a Web site?
What is a secure way to store and retrieve session data in a Web site? Before realizing why it would not work, I for a good while believed the following approach would:
Store everything in session variables whose name is a randomly generated string:
// This will be the name of the session variable. $id = uniqid(); // $my_complex_object contains sensitive information // I don't want to transmit over the network. $_SESSION[$id] = $my_complex_object;
Send those randomly generated string to my users.
On the client side, send requests to my server using those randomly generated strings as
POST
parameters.
But then I realized this is only as secure as PHP's session ID cookie (or that of whatever language/framework you happen to be using), which, I guess, is sent through the tubes as plain text. Together, the session ID and the randomly generated $开发者_开发知识库id
are everything an attacker needs to access $my_complex_object
. And they are both available for free to the attacker.
So, could anybody tell me an approach that actually works? Maybe there is a secure way to set cookies.
NOTE: I did not set the PHP tag because it is only incidental that I am using PHP. If you want to give me an example in whatever happens to be your favorite language/framework, please feel free to do so.
EDIT: It seems like my original question was not clear enough.
Let us suppose we want to generate a HTML table each of whose rows corresponds to a product and will contain a hyperlink to a "More information about this product" page. Thus, I would do the following:
In
table.php
, I would generate a table with N rows. For each row, I would generate a session variable containing information about the corresponding product. Somewhere in my HTTP response's body, I would also send the names of said session variables.When the user requests more information about a particular product, he sends a
POST
request tomore_info.php
, one of whose parameters is the name of the corresponding session variable.
So, while in my HTTP headers I am only sending the session ID cookie, in my HTTP bodies, I am sending the keys to lots of information. Any attacker who took the time to analyze the structure of my HTTP headers and bodies could completely hijack my users' sensitive information.
As an example, ASP.NET session state never sends anything to the client except for the cookie holding the session ID. There is no way for the client to access Session variables, which are stored purely on the server.
精彩评论