[OWASP_PHPSEC] Session Management Library : Adding location of sessions

Shivam Dixit shivamd001 at gmail.com
Wed Sep 11 20:00:00 UTC 2013


Hello Rahul,

Thank you for explaining me the point more clearly. I will design the
structure and will get back to you.


On Wed, Sep 11, 2013 at 10:07 PM, rahul chaudhary <
rahul300chaudhary400 at gmail.com> wrote:

> Shivam,
>
> The thing that Abbas suggested, is not something you would have to search.
> What he meant was that instead of using the session table itself for
> storing data, you should use a different table.
>
> With asynchronous he meant that you should design the function such that
> it could work alone and not come in between the process of
> storing/retrieving sessions. The reason for that is that if locating
> sessions take 200 ms, then storing sessions would be too slow and hence it
> will slow the overall app. Thus, the function should be such that it should
> run for only those who want this service, and even then the function should
> run independently of the app (possibly in background), so that the app does
> not have to worry about the location.
>
> With location you would also have to check if two login attempts are not
> made from two very far locations. E.g. I logged in from India this morning
> and second login is in US that same noon. That is not possible and hence
> must trigger some error, or log event or mail...etc....so if possible also
> try to design this mechanism.
>
>
> On Tue, Sep 10, 2013 at 4:05 PM, Shivam Dixit <shivamd001 at gmail.com>wrote:
>
>> Hello Abbas,
>>
>> Thanks for explaining me the point. I will search on internet how this
>> can be implemented and then will come up with another idea.
>>
>>
>> On Tue, Sep 10, 2013 at 7:05 PM, Abbas Naderi <abiusx at owasp.org> wrote:
>>
>>> Ok,
>>> It needs to be plug-able (i.e creating its own tables, without any side
>>> effects) because not everybody wants the locations and the overhead
>>> assigned to them.
>>> It should also be able to retrive location databases automatically, and
>>> check for its requirements.
>>>
>>> It needs to work asynchronously, meaning that it should not block the
>>> session creation or update while it retrives the location (only if it takes
>>> more than a reasonable time, say 200 miliseconds). For how to do that, you
>>> have to google around.
>>>
>>> Any more elaboration?
>>> -Abbas
>>>
>>>      ______________________________________________________________
>>> *Notice:** *This message is *digitally signed*, its *source* and *
>>> integrity* are verifiable.
>>> If you mail client does not support S/MIME verification, it will display
>>> a file (smime.p7s), which includes the X.509 certificate and the signature
>>> body.  Read more at Certified E-Mail with Comodo and Thunderbird<http://abiusx.com/certified-e-mail-with-comodo-and-thunderbird/> in
>>> AbiusX.com
>>>
>>> On Sep 10, 2013, at 9:21 AM, Shivam Dixit <shivamd001 at gmail.com> wrote:
>>>
>>> Hello Abbas,
>>>
>>> Rahul told me that we have to *store session location* also, which is
>>> part of *phase 2* but I can work on it if I want to.
>>>
>>> Can you please elaborate a bit on "plug-able system that works
>>> asynchronously" ?
>>>
>>> Thanks
>>>
>>>
>>> On Tue, Sep 10, 2013 at 6:47 PM, Abbas Naderi <abiusx at owasp.org> wrote:
>>>
>>>> It isn't a mandatory session function, and make the system very slow.
>>>> The better idea is to have it as a plug-able system that works
>>>> asynchronously.
>>>> -A
>>>>
>>>>
>>> --
>>> *Cheers,*
>>> *Shivam*
>>>
>>>
>>>
>>
>>
>> --
>> *Cheers,*
>> *Shivam*
>>
>> _______________________________________________
>> OWASP_PHP_Security_Project mailing list
>> OWASP_PHP_Security_Project at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp_php_security_project
>>
>>
>
>
> --
> Regards,
> Rahul Chaudhary
> Ph - 412-519-9634
>



-- 
*Cheers,*
*Shivam*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp_php_security_project/attachments/20130912/706a5483/attachment.html>


More information about the OWASP_PHP_Security_Project mailing list