Am I right about PHP sessions?

**auriaks** · 06-25-2010, 11:46 PM

Originally Posted by djr33

Two possibilities:
1. $_SERVER['HTTP_HOST'] is an unexpected value or includes http:// already. Try typing the address directly.
2. You were echoing $cookie and $session. A header() redirect only works BEFORE any text is output. I know this is commented out in your post, but if you had this executing while testing, that would cause a problem.

Add exit(); to the end and the script will stop execution there.

where I must use Exit() ??

The problem can be that when I destroy session - both variables became empty, and they are still equal...

**djr33** · 06-25-2010, 11:51 PM

After the redirect. I added it to my previous post-- I forgot when I first posted it.

**auriaks** · 06-26-2010, 12:35 AM

OK, now works... Maybe you know how I can solve the session and cookie question?

When I broke the session my $_COOKIE and $_SESSION values becomes empty... And that means equal:

PHP Code:


if($_COOKIE['hash'] != $_SESSION['hash'])

**traq** · 06-26-2010, 01:34 AM

my bad.

PHP Code:


<?php

if(empty($_SESSION['hash'] || $_COOKIE['hash'] != $_SESSION['hash'])){
   // end session, redirect to login, stop script
}

?>

Also my bad:

If you're using $_SERVER['HTTP_USER_AGENT'], you should check the session hash directly against that value each time, instead of relying solely on the cookie's hash value. It's an extra step the malicious user would have to go through, beyond simply stealing the cookie:

PHP Code:


<?php

//  things we use to create hash
$user = "username";
$pass = "password";
$agent = $_SERVER['HTTP_USER_AGENT'];

//  don't hash HTTP_USER_AGENT yet
$hash = md5($user.$pass);
//  cookie won't include it
setcookie("hash", $hash);
//  but session will
$_SESSION['hash'] = md5($hash.$agent);

//  when you check later on:

if(empty($_SESSION['hash']) || 
   md5($_COOKIE['hash'].$_SERVER['HTTP_USER_AGENT']) != $_SESSION['hash']){
     // user/pass/agent combination doesn't match.  
     // destroy session, redirect to re-login, end script
}

?>

**auriaks** · 06-26-2010, 01:49 AM

PHP Code:


//  when you check later on:



if(empty($_SESSION['hash']) || 

   md5($_COOKIE['hash'].$_SERVER['HTTP_USER_AGENT']) != $_SESSION['hash']){

     // user/pass/agent combination doesn't match.  

     // destroy session, redirect to re-login, end script

}

This part: where I have to check it?

I already use:

PHP Code:


<?php

session_start();



if(empty($_SESSION['hash'] || $_COOKIE['hash'] != $_SESSION['hash'])){

   header("Location: http://www.share2gether.xz.lt/login.php");

    exit();

}

?>

..In every page TOP.

There is a mistake in first script in your comment...

**traq** · 06-26-2010, 02:35 AM

the second bit of code (where the hash is checked separately) is an alternative method which could be used in place of what you're using now. It requires the cookie and session values to be set differently, however.

about the mistake - which comment/ which script are you referring to?