Our session system is due for an upgrade. Currently all PHP sessions are stored in the database, and some things are getting a bit slow. There have been a couple of approaches I've been considering, one of which is simply storing all the information in a browser cookie.
First I want to make clear I don't necessarily condone this. The reason I'm writing this post, is because I'm hoping for some more community feedback. Is this a really bad idea? I would love to know.
The benefits
If all the session data is stored in the browser, it means that I don't need to store it on the server. I actually don't care all that much for having the data on the server (unless it's the only secure way), it's mostly a gigantic map with session tokens and user id's (along with some other info).
I also feel it's more natural for HTTP, as it makes it a bit more stateless.
Sample code
- <?php
-
- class BrowserSession {
-
- public $secret = 'this will need to be a cryptographic random number';
- public $currentUser = null;
-
- // Sessions time out after 10 minutes
- public $timeout = 600;
-
- function init() {
-
- if (!isset($_COOKIE['MYSESSION'])) {
- echo "No session cookie found\n";
- return;
- }
-
- list($userId, $time, $signature) = explode(':',$_COOKIE['MYSESSION']);
-
- // The cookie is old
- if ($time> time() + $this->timeout) {
- echo "The session cookie timed out\n";
- }
-
- if ($signature !== $this->generateSignature($userId,$time)) {
- echo "The secret was incorrect\n";
- }
-
- $this->currentUser = $userId;
-
- echo "Logged in as user: $userId\n";
-
- }
-
- function login($userId) {
-
- $this->userId = $userId;
-
- $time = time();
-
- $cookie = $this->userId . ':' . time() . ':' . $this->generateSignature($userId,$time);
-
- setcookie('MYSESSION',$cookie,$time+$this->timeout,null,null,null,true);
-
- echo "Set cookie: $cookie\n";
-
- }
-
- function generateSignature($userId,$time) {
-
- $stringToSign =
- $userId . "\n" .
- $time . "\n" .
- $_SERVER['HTTP_USER_AGENT'] . "\n" .
- $_SERVER['REMOTE_ADDR'];
-
- return hash_hmac('SHA1',$stringToSign,$this->secret);
-
- }
-
- }
-
- ob_start();
- $session = new BrowserSession();
- $session->init();
-
- if (isset($_GET['login'])) $session->login($_GET['login']);
- else {
-
- echo '<br /><a href="?login=1234">Log in as user 1234</a>';
-
- }
- ?>
A few notes:
- The preceeding code was just intended as a proof of concept, it's missing some validation.
- Currently the secret would be the same for every user. I was thinking of appending some per-user information to the secret. If somebody does guess or bruteforce the secret, they would only have access to a single users' information.
- If a user changes their password, existing sessions should expire. To do this the signature should also include a sequence number that changes when the password changes.
- Currently this only stores a user id. It could be extended to contain more data, but this is all I need.
So, is there anything fundamentally wrong with this approach? In general the client should never be trusted, but for setups where the security requirements aren't as high (highly subjective, I know) I feel this might be strong enough. OAuth, OpenID and Amazon AWS all seem to trust HMAC+SHA1, but those applications do work differently.
Credit where it's due
I first asked this question on stack overflow. The users there already gave some great suggestions and pointed out some of the flaws. Thank you!
