Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 8 of 8
  1. #1
    Regular Coder
    Join Date
    Feb 2010
    Posts
    208
    Thanks
    15
    Thanked 2 Times in 2 Posts

    High security PHP sessions

    Hi,

    I want to create a model of really high security system for my website. That would mean sessions.

    I already heard about something like that:
    PHP Code:
    <?php 
    start_session
    (); 
    $_SESSION['authID'] = 'your_special_ID'

    $_SESSION['HTTP_USER_AGENT'] = md5($_SERVER['HTTP_USER_AGENT']); 

    $fingerprint 'SHIFLETT' $_SERVER['HTTP_USER_AGENT']; 
    $_SESSION['fingerprint'] = md5($fingerprint session_id() 
    ?>
    But is this good enough? Are there mistakes? Maybe there are other ways to make high security level from session and website hijacks??

    Thanks in advance.

  • #2
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,994
    Thanks
    4
    Thanked 2,662 Times in 2,631 Posts
    SSH and force cookies.
    Use session_regenerate_id to always create a new session id, which would substantially reduce the threat of SID intercepting. May want to check the IP as well, though be aware that IP, USER_AGENT, and a good chunk of anything you get from $_SERVER are user provided and are therefore deemed unreliable.
    PHP Code:
    header('HTTP/1.1 420 Enhance Your Calm'); 
    Been gone for a few months, and haven't programmed in that long of a time. Meh, I'll wing it ;)

  • #3
    Regular Coder
    Join Date
    Feb 2010
    Posts
    208
    Thanks
    15
    Thanked 2 Times in 2 Posts
    Btw,

    if i start session, it automatically creates session_id??

    Then, server saves it... And how then check if it is the same??

  • #4
    Senior Coder
    Join Date
    Jun 2008
    Location
    New Jersey
    Posts
    2,536
    Thanks
    45
    Thanked 259 Times in 256 Posts
    Quote Originally Posted by auriaks View Post
    Btw,

    if i start session, it automatically creates session_id??

    Then, server saves it... And how then check if it is the same??
    Unless you force it into a new session_id, the server recognizes if its the same ID or not, as its stored locally and on the server (the server matches it up)... but since a user can alter their session_id if they know what they're doing, someone can spoof the server into believing they are someone else (what Fou-Lu said about intercepting). You can check the current session_id, but you don't need to.

  • #5
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,994
    Thanks
    4
    Thanked 2,662 Times in 2,631 Posts
    Thats right. The session_id is provided by PHP and refers to (generally, though can be changed) a file. This file is located wherever the specification of the save path for your sessions has been set, and %TEMP% / /tmp otherwise. PHPSESSID is seeked by PHP for user entries, either as a cookie if available / forced, or in the GET of the querystring. It then matches this information when calling session_start, and returns the associated information within the session file with the same name.
    Using session_regenerate_id() will create a new session file, copy the data into it, submit a new cookie to the user, and attempt to destroy the original if possible. If your previous session was intercepted during transport, attempting to use it now becomes void since there is no associated session for that session_id. The expense is a little overhead since you need to take the time to do all this extra stuff. But C is so fast you won't even notice it to be honest.
    PHP Code:
    header('HTTP/1.1 420 Enhance Your Calm'); 
    Been gone for a few months, and haven't programmed in that long of a time. Meh, I'll wing it ;)

  • #6
    Regular Coder
    Join Date
    Feb 2010
    Posts
    208
    Thanks
    15
    Thanked 2 Times in 2 Posts
    Is there working example of secure sessions somewhere? I want to see how the script looks like and how it works...

    of course if it is possible... thanks.

  • #7
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,994
    Thanks
    4
    Thanked 2,662 Times in 2,631 Posts
    Check out the session_regenerate_id page for some information on that: http://php.ca/manual/en/function.ses...enerate-id.php
    There are literally tons of approaches to securing sessions. Try searching for 'php session SSL secure' and see what you come up with for session specific information.
    PHP Code:
    header('HTTP/1.1 420 Enhance Your Calm'); 
    Been gone for a few months, and haven't programmed in that long of a time. Meh, I'll wing it ;)

  • #8
    Regular Coder
    Join Date
    Feb 2010
    Posts
    208
    Thanks
    15
    Thanked 2 Times in 2 Posts
    This is familiar topic of mine other: Can you take a look? http://www.codingforums.com/showthread.php?t=198813


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •