[OWASP_PHPSEC] Session Management Library : Adding location of sessions

rahul chaudhary rahul300chaudhary400 at gmail.com
Wed Sep 11 16:37:09 UTC 2013


Shivam,

The thing that Abbas suggested, is not something you would have to search.
What he meant was that instead of using the session table itself for
storing data, you should use a different table.

With asynchronous he meant that you should design the function such that it
could work alone and not come in between the process of storing/retrieving
sessions. The reason for that is that if locating sessions take 200 ms,
then storing sessions would be too slow and hence it will slow the overall
app. Thus, the function should be such that it should run for only those
who want this service, and even then the function should run independently
of the app (possibly in background), so that the app does not have to worry
about the location.

With location you would also have to check if two login attempts are not
made from two very far locations. E.g. I logged in from India this morning
and second login is in US that same noon. That is not possible and hence
must trigger some error, or log event or mail...etc....so if possible also
try to design this mechanism.


On Tue, Sep 10, 2013 at 4:05 PM, Shivam Dixit <shivamd001 at gmail.com> wrote:

> Hello Abbas,
>
> Thanks for explaining me the point. I will search on internet how this can
> be implemented and then will come up with another idea.
>
>
> On Tue, Sep 10, 2013 at 7:05 PM, Abbas Naderi <abiusx at owasp.org> wrote:
>
>> Ok,
>> It needs to be plug-able (i.e creating its own tables, without any side
>> effects) because not everybody wants the locations and the overhead
>> assigned to them.
>> It should also be able to retrive location databases automatically, and
>> check for its requirements.
>>
>> It needs to work asynchronously, meaning that it should not block the
>> session creation or update while it retrives the location (only if it takes
>> more than a reasonable time, say 200 miliseconds). For how to do that, you
>> have to google around.
>>
>> Any more elaboration?
>> -Abbas
>>
>>      ______________________________________________________________
>> *Notice:** *This message is *digitally signed*, its *source* and *
>> integrity* are verifiable.
>> If you mail client does not support S/MIME verification, it will display
>> a file (smime.p7s), which includes the X.509 certificate and the signature
>> body.  Read more at Certified E-Mail with Comodo and Thunderbird<http://abiusx.com/certified-e-mail-with-comodo-and-thunderbird/> in
>> AbiusX.com
>>
>> On Sep 10, 2013, at 9:21 AM, Shivam Dixit <shivamd001 at gmail.com> wrote:
>>
>> Hello Abbas,
>>
>> Rahul told me that we have to *store session location* also, which is
>> part of *phase 2* but I can work on it if I want to.
>>
>> Can you please elaborate a bit on "plug-able system that works
>> asynchronously" ?
>>
>> Thanks
>>
>>
>> On Tue, Sep 10, 2013 at 6:47 PM, Abbas Naderi <abiusx at owasp.org> wrote:
>>
>>> It isn't a mandatory session function, and make the system very slow.
>>> The better idea is to have it as a plug-able system that works
>>> asynchronously.
>>> -A
>>>
>>>
>> --
>> *Cheers,*
>> *Shivam*
>>
>>
>>
>
>
> --
> *Cheers,*
> *Shivam*
>
> _______________________________________________
> OWASP_PHP_Security_Project mailing list
> OWASP_PHP_Security_Project at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp_php_security_project
>
>


-- 
Regards,
Rahul Chaudhary
Ph - 412-519-9634
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp_php_security_project/attachments/20130911/05457917/attachment-0001.html>


More information about the OWASP_PHP_Security_Project mailing list