php cookies, sessions and authentication
DESCRIPTION
Do you know the difference between the PHP config directives session.gc_maxlifetime and session.cookie_lifetime? Have you wrestled with implementing a “Remember Me” button on your login page? Learn how popular sites, such as Twitter and Facebook, keep you logged in (apparently) forever and the security risks of such methods. http://github.com/hellogerard/tek11TRANSCRIPT
![Page 1: PHP Cookies, Sessions and Authentication](https://reader036.vdocuments.net/reader036/viewer/2022062513/555e34f0d8b42aad058b4708/html5/thumbnails/1.jpg)
(PHP) Sessions, (PHP) Sessions, Cookies, & Cookies, &
AuthenticationAuthenticationGerard SychayGerard Sychay
#tek11#tek11
05/26/201105/26/2011
![Page 2: PHP Cookies, Sessions and Authentication](https://reader036.vdocuments.net/reader036/viewer/2022062513/555e34f0d8b42aad058b4708/html5/thumbnails/2.jpg)
Gerard Gerard Sychay.Sychay.
Zipscenemobile.cZipscenemobile.comom
Cincy Cincy CoworksCoworks
Introduction0.
![Page 3: PHP Cookies, Sessions and Authentication](https://reader036.vdocuments.net/reader036/viewer/2022062513/555e34f0d8b42aad058b4708/html5/thumbnails/3.jpg)
0. Introduction
This is HenryThis is Henry
![Page 4: PHP Cookies, Sessions and Authentication](https://reader036.vdocuments.net/reader036/viewer/2022062513/555e34f0d8b42aad058b4708/html5/thumbnails/4.jpg)
Introduction0.baby
![Page 5: PHP Cookies, Sessions and Authentication](https://reader036.vdocuments.net/reader036/viewer/2022062513/555e34f0d8b42aad058b4708/html5/thumbnails/5.jpg)
Introduction0.1.1. SessionsSessions2.2. AuthenticationAuthentication3.3. Keep Me Keep Me Logged InLogged In
4.4. SecuritySecurity
![Page 6: PHP Cookies, Sessions and Authentication](https://reader036.vdocuments.net/reader036/viewer/2022062513/555e34f0d8b42aad058b4708/html5/thumbnails/6.jpg)
Sessions1.1. initial request1. initial request
2. create new 2. create new session IDsession ID
3. create session file3. create session filenamed with IDnamed with ID
4. store ID in 4. store ID in ‘ ‘PHPSESSID’ cookiePHPSESSID’ cookie
![Page 7: PHP Cookies, Sessions and Authentication](https://reader036.vdocuments.net/reader036/viewer/2022062513/555e34f0d8b42aad058b4708/html5/thumbnails/7.jpg)
Sessions1.
2. find file with name2. find file with name matching session IDmatching session ID
3. read session data3. read session data from session filefrom session file
1.1. read session ID from read session ID from PHPSESSID cookiePHPSESSID cookie
4. respond using 4. respond using session datasession data
![Page 8: PHP Cookies, Sessions and Authentication](https://reader036.vdocuments.net/reader036/viewer/2022062513/555e34f0d8b42aad058b4708/html5/thumbnails/8.jpg)
Sessions1.
![Page 9: PHP Cookies, Sessions and Authentication](https://reader036.vdocuments.net/reader036/viewer/2022062513/555e34f0d8b42aad058b4708/html5/thumbnails/9.jpg)
Authentication2.Sessions… what are they good for?Sessions… what are they good for?
![Page 10: PHP Cookies, Sessions and Authentication](https://reader036.vdocuments.net/reader036/viewer/2022062513/555e34f0d8b42aad058b4708/html5/thumbnails/10.jpg)
// set a flag// set a flag$_SESSION[‘authenticated’] = true;$_SESSION[‘authenticated’] = true;$_SESSION[‘loggedIn’] = true; $_SESSION[‘loggedIn’] = true;
// save something useful// save something useful$_SESSION[‘userId’] = 123;$_SESSION[‘userId’] = 123;$_SESSION[‘userName’] = ‘jsmith’;$_SESSION[‘userName’] = ‘jsmith’;
Authentication2.
![Page 11: PHP Cookies, Sessions and Authentication](https://reader036.vdocuments.net/reader036/viewer/2022062513/555e34f0d8b42aad058b4708/html5/thumbnails/11.jpg)
Authentication2.
![Page 12: PHP Cookies, Sessions and Authentication](https://reader036.vdocuments.net/reader036/viewer/2022062513/555e34f0d8b42aad058b4708/html5/thumbnails/12.jpg)
Authentication2.
““You know that thing You know that thing that they have?”that they have?”
![Page 13: PHP Cookies, Sessions and Authentication](https://reader036.vdocuments.net/reader036/viewer/2022062513/555e34f0d8b42aad058b4708/html5/thumbnails/13.jpg)
Specifies the lifetime of the Specifies the lifetime of the cookie in seconds which is sent cookie in seconds which is sent to the browser. The value 0 to the browser. The value 0 means “until the browser is means “until the browser is
closed.” Defaults to 0.closed.” Defaults to 0.
Authentication2.session.cookie_lifetimesession.cookie_lifetime
![Page 14: PHP Cookies, Sessions and Authentication](https://reader036.vdocuments.net/reader036/viewer/2022062513/555e34f0d8b42aad058b4708/html5/thumbnails/14.jpg)
Specifies the number of Specifies the number of seconds after which data will seconds after which data will be seen as ‘garbage’ and be seen as ‘garbage’ and potentially cleaned up. potentially cleaned up. Garbage collection may occur Garbage collection may occur during session start. Defaults to during session start. Defaults to
1440 seconds.1440 seconds.
Authentication2.session.gc_maxlifetimesession.gc_maxlifetime
![Page 15: PHP Cookies, Sessions and Authentication](https://reader036.vdocuments.net/reader036/viewer/2022062513/555e34f0d8b42aad058b4708/html5/thumbnails/15.jpg)
Authentication2.// 24h// 24h session.cookie_lifetime = 86400; session.cookie_lifetime = 86400;
// 24h// 24h session.gc_maxlifetime = 86400; session.gc_maxlifetime = 86400;
![Page 16: PHP Cookies, Sessions and Authentication](https://reader036.vdocuments.net/reader036/viewer/2022062513/555e34f0d8b42aad058b4708/html5/thumbnails/16.jpg)
Authentication2.
![Page 17: PHP Cookies, Sessions and Authentication](https://reader036.vdocuments.net/reader036/viewer/2022062513/555e34f0d8b42aad058b4708/html5/thumbnails/17.jpg)
Authentication2.session.cookie_lifetimesession.cookie_lifetime
AbsoluteAbsolute expiration time expiration time
session.gc_maxlifetimesession.gc_maxlifetime
Maximum Maximum idleidle time time
![Page 18: PHP Cookies, Sessions and Authentication](https://reader036.vdocuments.net/reader036/viewer/2022062513/555e34f0d8b42aad058b4708/html5/thumbnails/18.jpg)
Authentication2.session.cookie_lifetime = 0; session.cookie_lifetime = 0; // default// defaultsession.gc_maxlifetime = 1440; session.gc_maxlifetime = 1440; // default// default
ExampleExample
Henry:Henry:Never closes his browserNever closes his browserRequests pages every 20 minutes Requests pages every 20 minutes or so.or so.Stays logged in!Stays logged in!
![Page 19: PHP Cookies, Sessions and Authentication](https://reader036.vdocuments.net/reader036/viewer/2022062513/555e34f0d8b42aad058b4708/html5/thumbnails/19.jpg)
Authentication2.session.cookie_lifetime = 0; session.cookie_lifetime = 0; // default// defaultsession.gc_maxlifetime = 1440; session.gc_maxlifetime = 1440; // default// default
ExampleExample
Henry:Henry:Leaves his browser open Leaves his browser open Takes a 30 min. snack breakTakes a 30 min. snack breakSession garbage collected – logged Session garbage collected – logged out!out!
![Page 20: PHP Cookies, Sessions and Authentication](https://reader036.vdocuments.net/reader036/viewer/2022062513/555e34f0d8b42aad058b4708/html5/thumbnails/20.jpg)
Authentication2.session.cookie_lifetime = session.cookie_lifetime = 3600;3600; // 1 hr // 1 hrsession.gc_maxlifetime = 1440; session.gc_maxlifetime = 1440; // default// default
ExampleExample
Henry:Henry:Leaves his browser open Leaves his browser open Takes a 30 min. snack breakTakes a 30 min. snack breakSession garbage collected – logged Session garbage collected – logged out!out!
![Page 21: PHP Cookies, Sessions and Authentication](https://reader036.vdocuments.net/reader036/viewer/2022062513/555e34f0d8b42aad058b4708/html5/thumbnails/21.jpg)
Authentication2.session.cookie_lifetime = session.cookie_lifetime = 3600;3600; // 1 hr // 1 hrsession.gc_maxlifetime = session.gc_maxlifetime = 3600; 3600; // 1 hr// 1 hr
ExampleExample
Henry:Henry:Leaves his browser open Leaves his browser open Takes a 45 min. snack breakTakes a 45 min. snack breakWorks for 30 mins.Works for 30 mins.Session cookie expires – logged Session cookie expires – logged out!out!
![Page 22: PHP Cookies, Sessions and Authentication](https://reader036.vdocuments.net/reader036/viewer/2022062513/555e34f0d8b42aad058b4708/html5/thumbnails/22.jpg)
Authentication2.Oh yeah, what was I trying to Oh yeah, what was I trying to
do?do?
![Page 23: PHP Cookies, Sessions and Authentication](https://reader036.vdocuments.net/reader036/viewer/2022062513/555e34f0d8b42aad058b4708/html5/thumbnails/23.jpg)
Authentication2.
![Page 24: PHP Cookies, Sessions and Authentication](https://reader036.vdocuments.net/reader036/viewer/2022062513/555e34f0d8b42aad058b4708/html5/thumbnails/24.jpg)
Keep Me Logged In3.
do?do?
What wouldWhat would
![Page 25: PHP Cookies, Sessions and Authentication](https://reader036.vdocuments.net/reader036/viewer/2022062513/555e34f0d8b42aad058b4708/html5/thumbnails/25.jpg)
Keep Me Logged In3.1. initial login1. initial login
4. store auth token4. store auth token in ‘my_auth’ cookiein ‘my_auth’ cookie
3. store user’s unique 3. store user’s unique auth token in DBauth token in DB
2. create new auth 2. create new auth token for usertoken for user
![Page 26: PHP Cookies, Sessions and Authentication](https://reader036.vdocuments.net/reader036/viewer/2022062513/555e34f0d8b42aad058b4708/html5/thumbnails/26.jpg)
Keep Me Logged In3.1. read auth token 1. read auth token from ‘my_auth’cookiefrom ‘my_auth’cookie
2. lookup auth 2. lookup auth token in DBtoken in DB
4. Store new session ID 4. Store new session ID and auth token in and auth token in cookiescookies
3. if valid token, 3. if valid token, log user inlog user in
![Page 27: PHP Cookies, Sessions and Authentication](https://reader036.vdocuments.net/reader036/viewer/2022062513/555e34f0d8b42aad058b4708/html5/thumbnails/27.jpg)
Keep Me Logged In3.
![Page 28: PHP Cookies, Sessions and Authentication](https://reader036.vdocuments.net/reader036/viewer/2022062513/555e34f0d8b42aad058b4708/html5/thumbnails/28.jpg)
What about security?What about security?
Security4.
![Page 29: PHP Cookies, Sessions and Authentication](https://reader036.vdocuments.net/reader036/viewer/2022062513/555e34f0d8b42aad058b4708/html5/thumbnails/29.jpg)
Security4.
![Page 30: PHP Cookies, Sessions and Authentication](https://reader036.vdocuments.net/reader036/viewer/2022062513/555e34f0d8b42aad058b4708/html5/thumbnails/30.jpg)
Security4.
FiresheepFiresheep
![Page 31: PHP Cookies, Sessions and Authentication](https://reader036.vdocuments.net/reader036/viewer/2022062513/555e34f0d8b42aad058b4708/html5/thumbnails/31.jpg)
Security4.
![Page 32: PHP Cookies, Sessions and Authentication](https://reader036.vdocuments.net/reader036/viewer/2022062513/555e34f0d8b42aad058b4708/html5/thumbnails/32.jpg)
Security4.I CAN HAZ SSL?I CAN HAZ SSL?
![Page 33: PHP Cookies, Sessions and Authentication](https://reader036.vdocuments.net/reader036/viewer/2022062513/555e34f0d8b42aad058b4708/html5/thumbnails/33.jpg)
Security4.Re-authenticate!Re-authenticate!
![Page 34: PHP Cookies, Sessions and Authentication](https://reader036.vdocuments.net/reader036/viewer/2022062513/555e34f0d8b42aad058b4708/html5/thumbnails/34.jpg)
4. Security
![Page 35: PHP Cookies, Sessions and Authentication](https://reader036.vdocuments.net/reader036/viewer/2022062513/555e34f0d8b42aad058b4708/html5/thumbnails/35.jpg)
Thanks!5.
@hellogerard@hellogerard
http://straylightrun.nethttp://straylightrun.nethttp://github.com/hellogerard/tek11http://github.com/hellogerard/tek11
© 2011. Some rights reserved.© 2011. Some rights reserved.
Enjoy the wi-fi!Enjoy the wi-fi!