PDA

View Full Version : Secure Session Control



SyntaXmasteR
08-15-2007, 06:42 PM
******* Session Control

This will be a short tutorial on creating and maintaining a secure session. If you put a little thought into what a Session is, you can easily implement your own way of protecting it & actually use sessions to your advantage. For those of you who do not understand what a session is, think of it as an instant database that is created for you to store values in (such as items added to a shopping cart). In php you can create a session by simply calling the function session_start(). You must call this function before any output is displayed to the browser so its a good idea to include your session control at the top of every page.


<? include("session_controller.php"); ?>

<html>
<body>
<p>Hello</p>
</body>
</html>

When a session is created it is given a randomly generated identifier. This identifier, which is stored in the form of a cookie on the users machine, talks to the server to add, update, & delete values stored in the session.

You can create a session variable by:


$_SESSION['variable_name_goes_here']= "Storing this text in your session!";

From now on when you call $_SESSION['variable_name_goes_here'] it will have the text "Storing this text in your session!" stored in it. You can delete this session variable by using the unset() function. Once you unset($_SESSION['variable_name_goes_here']) it will no longer exist as part of your session.

Another important thing about sessions is how to destroy them. You can simply do this by using the session_destroy() function. NOTE: This does not destroy session variables! They must be unset().

So how can you apply this information to make a session secure? Well you need to think about three things that are going to be unique when a session is created.

*. The exact time the session is created in hours,minutes,seconds: date('ymdHis')
2. The browser the visitor is using: $_SERVER['HTTP_USER_AGENT']
*. The ip address of the visitor: $_SERVER['REMOTE_ADDR']

Now that we have these three values what can we do with them? MD5 hash them into one value that is unique to the visitor. This will give the current visitor and id that uniquely identifies and validates their session.

Are we finished? NOOO! We are still not ******* from session hijacking. A cookie monster might come along and steal your cookie and try to pass as your id to hijack your session. This code will do a pretty good job of protecting you from getting hijacked. There is still a change that the person trying to hijack your session has the exact IP & Browser as you. Since I do not know enough javascript, I can not write the code to grab the local ip of the user, but if I could the session would be just about unhijackable (if that was a word).

Here is the code to secure your session from being hijacked:


session_start();

function build_session()
{
$new_time=date('ymdHis');
$new_brow=$_SERVER['HTTP_USER_AGENT'];
$new_ipad=$_SERVER['REMOTE_ADDR'];
$new_code=md5($new_time . $new_brow . $new_ipad) . "HashGuessing";

$_SESSION['entrytime']=$new_time;
$_SESSION['hash']=$new_code;
$_SESSION['login']=*;
}

function validate_session(){
if(!(isset($_SESSION['entrytime']))){
return(0);
}
else{
$new_time=$_SESSION['entrytime'];
$new_brow=$_SERVER['HTTP_USER_AGENT'];
$new_ipad=$_SERVER['REMOTE_ADDR'];
$new_code=md5($new_time . $new_brow . $new_ipad) . "HashGuessing";

if($new_code!=$_SESSION['hash']){
return(0);
}
else{ return(*); }
}
}

Here is my login function I created to go along with my session validation:


function login_control(){
if(isset($_SESSION['login']) && $_SESSION['login']==*){
if(isset($_GET['logout'])){
session_destroy();
return(0); // YOU ARE NOW LOGGED OUT
}
else if(validate_session()){
return(*); // SESSION IS VALID AND USER LOGGED IN
}
}else if(isset($_POST['u']) && isset($_POST['p'])){

if(!(validate_login())){
return(2); // INVALID USERNAME AND PASSWORD
}else{
return(*); // VALID USERNAME AND PASSWORD
}
}else{
session_destroy(); // NOT LOGGED IN
return(4);
}
}

For those of you who like to use <BASE href="http://www.syntax******.info/"> for easy navigation I created a function in PHP to do the same thing. I think it makes path navigation easier:


$url=$_SERVER["PHP_SELF"];
$forward_slash_count=strlen($url)-strlen(str_replace("/","",$url));

$path= NULL;
$path_replace="../";

while($forward_slash_count-*>0){
$path .= $path_replace;
$forward_slash_count--;
}
$_SESSION['path']=$path;


This is my first tutorial, so I hope it was written in a clear manner and has helped you better understand the nature of sessions.

Til next time,

SyntaX

Ezekiel
08-22-2007, 11:04 AM
Awesome tutorial.

I've always wanted to implement PHP's session functionality on my site, but I wrote my own system entirely from scratch. Huge waste of time I guess.

Shall we sticky threads like this and let the bullshit drop away?

SyntaXmasteR
08-22-2007, 01:27 PM
A sticky would be nice, but I would like to make sure my code is completely *******. I wrote everything from scratch, so I would like a few php coders to double check my wording and code for possible flaws.

Do you know how to grab a local IP using Javascript? I want to add this to my code to fully validate the user.

Ezekiel
08-22-2007, 07:08 PM
Do you know how to grab a local IP using Javascript? I want to add this to my code to fully validate the user.

I'm pretty sure you can't do this, although you could make an xmlhttp request to the server, then the server replies with the user's IP address.

Never trust browsers for security though.

I'm gonna sticky all the good threads.

SyntaXmasteR
09-03-2007, 09:36 PM
UPDATED - Secure Session Control Tutorial (http://www.syntax******.info/scripts/secure_session_control.php)
I added diagrams and tried to clean up some of the jargon and simplify everything by giving more examples.