Thursday, May 31, 2007

PHP Session Security

1. Shared web servers—anyone else on the server can read your session files (typically in the /tmp directory) if PHP is running as an Apache module (so the session files belong to the web user) and possibly when PHP is used as a CGI (depending on how sessions are implemented).

Someone browsing the session files (probably) won’t know the site the server the sessions apply to (so may not be able to use a username / password combination they found) but you may still be putting sensitive info (like credit card details) somewhere for all to see. Plus they’ve got a list of valid session IDs…

If you’re just storing passwords in the session, you can get away with this by using md5() (preferably twice) to one-way encypt the password. This doesn’t help though if you need to recover the value of a session variable.

Using a custom session handler to store the sessions in a database is probably the best solution. You might consider MySQL HEAP tables if performance is an issue (assuming MySQL running on same machine as Apache). If it gets to very high traffic, it’s time to think about getting your own server…

2. XSS exploits (and session hijacking)—using JavaScript users can be fooled into giving away their active session_id.

All someone needs to “hijack” a session is the unique session id. It’s like the key to a railway station locker. The locker doesn’t check you’re the valid owner of the key, before allowing you to open it so anyone with the key can get in.

Research XSS and how to prevent it.

Accept that session hijacking cannot be entirely prevented (checks on IP address, for example, is foiled by AOL, who assign a new client IP on more or less every page request) so double check “critical actions” a user can perform when logged in e.g. when changing password—require the old password, which the session hijacker will (hopefully) not know. Displaying credit card infomation—do like Amazon and only display the last four digits. Basically limit the damage someone can do if they hijack a session.

3. Session IDs in URL (and hijacking)—if you’re using session IDs in the URL (as opposed to a session cookie), make sure offsite links do not contain the session ID (or the remote site will be able to hijack)—PHP should take care of this. Also your visitors may give away the session ID in the referrer field—ideally pass off site links through a redirect page, to elimate the referrer (although, unfortunately, some browsers keep the last 3 pages viewed I believe—unsure of facts).

Ideally, don’t pass session ids in the URL—require users to accept a cookie if they need to “log in”.

4. Session Fixation (pre-hijacking) (see http://www.acros.si/papers/session_fixation.pdf).

If you assign a session to a visitor to your site, before they are logged in (for example for clickpath analysis), make sure that you assign them a new session id when they do login, so that if someone pre-generated the initial session id for them, they won’t get the new ID.

For PHP 4.2.0+, see session_regenerate_id() (in particular the user submitted comments). For PHP < href="http://www.php.net/session_id">session_id() function may also be useful (haven’t explored it in this context myself).

5. Sniffing Packets (use SSL [HTTPS])—a session ID can be “sniffed” between the client and your server. If it’s a site where money is changing hands or other sensitive personal information is involved, SSL is a requirement.

Otherwise, without SSL, you have to live with the risk (just like you do every time you use that FTP client…).

6. Cookies are not for session data—on a related note, don’t use cookies for store sensitive information.

Cookie data, unlike sessions, gets stored on the client site. Apart from the “sniffing risk”, a large majority of Windows users have little idea of security and may be “owned by haxor”.

Otherwise, cookies (aside from session cookie PHP creates for you) are generally meant for long term (i.e. between visits) data persistance (e.g. “Remember Me”) rather than “active session” persistance.

There’s probably more things to watch out for (or facts to correct)—suggestions appreciated.

5 Traits of a Successful Project

Why do some companies, I.T. teams, or project leaders always seem to complete difficult implementations successfully while others struggle? The reason is that there are similar actions taken on most, if not all, successful technology implementations. Regardless of the development methodology employed, leaders should do the following to make sure every major project has a shot at success.

1. Balance demand with capacity.
One of the most important traits of all successful organizations is the balance between demand and capacity. Successful governance committees know with accuracy the available capacity of their technology implementation teams. When this committee commits to a project, it knows demand and capacity are balanced. In other words when it commits the troops, the committee recognizes it has sufficient resources to carry out the mission. Projects descend into chaos when demand exceeds capacity. Most of you, I wager, have witnessed the chaos of over committed implementation teams. Committees on the right side of this issue avoid creating a mess for themselves.

2. Dedicate resources the team can count on day in and day out.
Successful projects have resources the team can rely on. If a person is dedicated, for example, 50% of the time to the project, this doesn't mean 45% or 25%. It means the project leader knows he or she has 50% of that person's time - guaranteed. Before the successful implementation begins, the project manager details the type and number of the human resources required for the project. Then the organization provides those resources and keeps them dedicated.

3. Include skilled business analysts on the implementation team.
Successful implementations are based on a thorough business analysis of desired outcomes. Insightful business analysis relies on skilled and experienced investigators, whose curiosity drives them to discover the heart of an issue or problem and then participate in devising a solution. In-depth business analysis, at the conclusion of the implementation, leads to a "Wow!" from users of the new system, not an "Oh, that is not what we wanted." I predict that in the next several years implementation teams will routinely include business analysts who are certified by the International Institute of Business Analysis, because business analysis is fast becoming a profession, not a part-time job.

4. Rely on project managers that exemplify mature professionalism.
Successful implementations always have at their head experienced, mature project managers who know the science of project management and possess leadership skills to rally the troops. These leaders inspire confidence. They listen and get out from behind their desks. They make sure the project team is trained on and uses calibrated project management tools. Competent project managers know on any given day within 10% where a project is in terms of cost and progress. These project leaders serve as a hub for communications - sending information down from the governance committee and up from the implementation team.

5. Make fact-based decisions.
The one unvarying trait competent project leaders possess is honesty. They give truthful evaluations and are mature enough to make timely reports on bad news to the governance committee. This unflinching honesty makes it possible for the organization to kill "bad" projects before they waste resources and destroy morale. This is in itself a measure of success - limiting risk and loss to the enterprise. Successful project leaders have both responsibility and authority. For example, they have the authority to dedicate additional resources should that become necessary.

Successful governance committees are trained on and use portfolio management tools. This means that they have a window into the process and make fast effective decisions to stop small problems from becoming major ones. These committees are integrated into an effective two-way flow of information down to the project leaders and up from the implementation team. Fundamentally, it does not seem to matter whether an organization subscribes to agile project management, waterfall model, incremental, spiral, scrum, crystal, lean development, or the project management body of knowledge (PMBOK). Success truly rests on:

  • A governance committee that balances capacity with demand
  • Sufficient, dedicated, equipped, and experienced resources
  • Thorough business analysis
  • Mature, secure, honest project leaders who have responsibility and authority
  • Fact-based decisions

These organizations have done everything humanly possible to ensure that technology implementations either deliver business improvements or are cancelled before they waste precious resources.