PHP token security

Question

I wrote a PHP application which requires a login. This application is private so no new users can register. First I used sessions to identify the users but it lead to problems on tablets because they lost their sessions. I think this is because of energy saving operations.

Now I changed my application to generate a random security token. So the authentication is as the follows:

• Log in
• Generate random security token and save it to disk
• Redirect the browser to http://myhost/site?id=[securitytoken]
• On the server side I check if the file exists - if yes, user is authenticated

Everything is now working perfectly I am just thinking about security concerns. It is no problem if the user sees the security token. Is it somehow possible to find out the token when I use GET? I am using SSL.

I tried to change the expiration times and cookie lifetimes. On a normal computer it is working as it should. On the table it is also working IF it does not go into standby (meaning the screen gets black). If the screen gets black, the session expires very soon.

Answer 1

There is no vulnerability inherent to using GET instead of, for example, POST from a network perspective.

The only caveat you should keep in mind is that a GET request is more likely to be stored on the client (e.g. browser history) in a way you might not intend. For these reasons, I typically use POST requests for authentication.

The problem you are attempting to solve sounds remarkably similar to "remember me" cookies. The linked blog post might be helpful in mitigating the security risks involved in designing token-base authentication systems.

Generally, web apps are confined to using localStorage and cannot silently read/write to files in the background. How are you accomplishing this?

When you say you're using SSL, do you really mean TLS or do you mean SSL version 3? If SSLv3, I would advise updating your stack and webserver configuration to support current best standards. TLSv1.2 with ECDHE and AES-GCM + SHA2 or ChaCha20-Poly1305 are ideal.

Answer 2

GET is more vulnerable than POST as it can be transmitted and stored:

• In server logs by default.
• In corporate proxy logs.
• In the referer header if your page uses external resources or links to external domains.

In your example you have a http URL (this could be a typo though as you said you are using SSL). Make sure you are using https URLs to protect this data in transit.

This approach could also be vulnerable to Session Fixation as an attacker could get the user to visit a URL containing, or redirecting to, the same session ID as the attacker. When the victim logs in, the shared session will be authenticated meaning the attacker is now also logged in. To protect against this, refresh the session ID upon login and logout.

Cookies are often the preferred approach for session handling as they are harder to attack in the above scenarios.

Answer 3

The issue with in URL variables in the get form means that for one : users can easily modify it (by accident or not) and they stay even when the link is copied somewhere.

If you send someone your link/someone gets your link with the id variable in it,is that a security risk to you?