Am I right about PHP sessions?

**traq** · 06-23-2010, 01:03 AM

you don't need to check that the session id is the same. that is worked out between the browser and the server automatically.

You can make it more secure by forcing php to use cookies and not accepting session ids in URLs (cookies are more secure than query strings passed in URLs), by changing the default directory on your server that stores session info (a custom session path is more secure than the default path, especially on shared servers), and more... Read here.

What we've been talking about is above and beyond all that. Again, what it comes down to is how secure you actually need things to be. Are you using HTTPS / SSL? If not, then don't worry too much. Just force cookies, always re-validate that the user is logged in, ask the user to log in again before any serious changes can be made, and you should be fine.

**auriaks** · 06-23-2010, 12:09 PM

Are you using HTTPS / SSL?

No, just .php...

Well, I don't know much about cookies

Maybe you know a tutorial or working example of secure sessions? Because what I am looking for now, is script or parts to add into one.

**traq** · 06-23-2010, 01:45 PM

in your php.ini file, put:

Code:

session.use_only_cookies = 1
session.cookie_httponly = 1

use_only_cookies prevents php from using session info passed in the URL
cookie_httponly makes the cookie usable only via http (not javascript, etc. - not supported by all browsers yet)

More

**auriaks** · 06-24-2010, 08:54 PM

where do I have to create php.ini file?
Do I have to include it?

**auriaks** · 06-24-2010, 09:00 PM

Take a look into my LOGIN script:

PHP Code:


<?php 

if(isset($_POST['enter'])) { 

include $_SERVER['DOCUMENT_ROOT'] . '/connect/db_conn.php'; 

    $password = md5($_POST['password']); 

    $nick = $_POST['nick']; 

     

    $password = mysql_real_escape_string($password); 

    $nick = mysql_real_escape_string($nick); 

    $nick = strtolower($nick); 



if($password == '') { 

        $error .= "<li>Enter your password!</li>"; 

    } 

    if($nick == '') { 

        $error .= "<li>Enter your Nick!</li>"; 

    }     

        if(preg_match('/\W/', $password)) { 

        $error .= "<li>!!! No symbols !!!</li>"; 

        } else { 

        if(preg_match('/\W/', $nick)) { 

        $error .= "<li>!!! No symbols !!!</li>";}}     



$check = mysql_query("SELECT * FROM `test_sessions` WHERE nick='$nick' AND pass='$password'") or die(mysql_error()); 

    if(mysql_num_rows($check) == 0) { 

        $error .= "<li>Wrong password or Nick!</li>"; 

    } 



    if(isset($error)) { 

        $eroras = '<center><font color="grey">Mistakes:<br/><br/><font color="blue">'.$error.'</font></center>'; 

    } else { 

         

        $r = mysql_fetch_array( $check ) or die(mysql_error()); 

         

            session_start(); 

             

            $code = md5($nick.$password); 

            $sess_time=date('ymdHis'); 

            $sess_browser=$_SERVER['HTTP_USER_AGENT']; 

             

            $_SESSION['code'] = $code; 

            $_SESSION['time'] = $sess_time; 

            $_SESSION['browser'] = $sess_browser; 

         

        header("Location: index.php");  

    } 



if($_GET['act'] == 'logout') { 

    session_start(); // begin session 

    session_unset(); 

    session_destroy(); // remove the entire session 

}      

} 

?> 

<?php echo "$eroras";?> 



<html xmlns="http://www.w3.org/1999/xhtml" lang="lt"> 

<head> 

<meta http-equiv="content-type" content="text/html; charset=utf-8" /> 

<meta http-equiv="Content-Language" content="lt"/> 

</head> 

<body> 

<form method='post' action='login[test].php'> 

<table align='center'><tr><td> User:</td> 

<br /> 

<td><input type='text' name='nick' size='15'></td> 

</tr><tr><td>Password:</td> 

<br /> 

<td><input type='password' name='password' size='15'><input type='submit' name='enter' value=' Enter '></td></tr></table> 

<br /> 

</form> 

</body> 

</html>

I want to change this part:

PHP Code:


 session_start();  

              

            $code = md5($nick.$password);  

            $sess_time=date('ymdHis');  

            $sess_browser=$_SERVER['HTTP_USER_AGENT'];  

              

            $_SESSION['code'] = $code;  

            $_SESSION['time'] = $sess_time;  

            $_SESSION['browser'] = $sess_browser;

To Create more powerful session...

I wonder if I could use cookie like:

PHP Code:


<?php 

$hash = md5($nick.$password.$sess_time); 

setcookie("hash", "$hash"); 

?>

and use it as variable $_SESSION['hash']...
As you can see all of that are just a scratch... But Maybe I can make something from all of this?

TIP: For now, I am not looking into other pages such as regenerating session_id or checking hash for user authentication... Just trying to create powerful session. Only Then i could look forward.

**traq** · 06-25-2010, 12:32 AM

A php.ini file goes in the directory you want it to affect, much the way a .htaccess file does. You don't include it.

Don't use the $sess_time in your cookie. Because the time constantly changes, it will be impossible to successfully check against this value. Otherwise, fine cookie.

HOWEVER, the main thing here is that you check against it. For example,

PHP Code:


<?
 session_start();   

            //  I will assume you are also setting $nick and $password somewhere in here
            $sess_browser=$_SERVER['HTTP_USER_AGENT'];   

            $hash = md5($nick.$password.$sess_browser);  // create hash
            $_SESSION['hash'] = $hash;  //  save hash to SESSION
            setcookie("hash", "$hash");  //  save hash in cookie for user

?>

Will be completely useless unless you always validate it whenever the user opens a new page (or AJAX request, etc. - anything!). If you don't use the info, it does no good - that's the really important part. So, every "secure" page needs to also include something like:

PHP Code:


<?php

if($_COOKIE['hash'] != $_SESSION['hash']){ 
      header("Location: http://www/mysite.com/login-again"); 
}

?>

**auriaks** · 06-25-2010, 08:01 AM

This reply was most informational (if this is even a word)

But still I have some questions... I have a lot of "secure" directions. Is it possible to use one php.ini file in all? Or I will need to create it in each..?

How I can improve security level? IP checking can be a big trouble, so I won't use it. Maybe I should use my encrypted code as a part of hash like:

PHP Code:


<?

 session_start();

            

    // I have $nick and $password in the previous script.

            $sess_browser=$_SERVER['HTTP_USER_AGENT'];

            $code='jaskdjhasjdh455452sdasd';

            $my_code=md5($code);



            $hash = md5($my_code.$nick.$password.$sess_browser);  // create hash

            $_SESSION['hash'] = $hash;  //  save hash to SESSION

            setcookie("hash", "$hash");  //  save hash in cookie for user



?>

And Also I could regenerate session_id

BTW, is this session and cookie destroy is correct?

PHP Code:


if($_GET['act'] == 'logout') {

    session_start(); // begin session

    session_unset($_SESSION['hash']);

    session_unset($_COOKIE['hash']);

    session_destroy(); // remove the entire session

}

**auriaks** · 06-25-2010, 08:09 AM

Can you explain more about these:

PHP Code:


[Session]

session.save_handler = files

session.save_path = /tmp

session.use_cookies = 1

session.use_only_cookies = 1

session.name = PHPSESSID

session.auto_start = 0

session.cookie_lifetime = 0

session.cookie_path = /

session.cookie_domain =

session.serialize_handler = php

session.gc_probability = 1

session.gc_divisor     = 1000

session.gc_maxlifetime = 1440

session.bug_compat_42 = 0

session.bug_compat_warn = 1

session.referer_check =

session.entropy_length = 0

session.entropy_file =

;session.entropy_length = 16

;session.entropy_file = /dev/urandom

session.cache_limiter = nocache

session.cache_expire = 180

session.use_trans_sid = 1

url_rewriter.tags = "a=href,area=href,frame=src,input=src,form=fakeentry"

**auriaks** · 06-25-2010, 10:08 PM

Why this script is not working?? I am not getting redirected by header when session is destroyed. What I can see is empty window...

PHP Code:


<?php

session_start();

$cookie=$_COOKIE['hash'];

$session=$_SESSION['hash'];



//echo "$cookie and $session";



$host  = $_SERVER['HTTP_HOST'];

$link = "http://$host/login.php";



if($_COOKIE['hash'] != $_SESSION['hash']){ 

      header("Location: $link"); 

}



?>

**djr33** · 06-25-2010, 10:55 PM

Two possibilities:
1. $_SERVER['HTTP_HOST'] is an unexpected value or includes http:// already. Try typing the address directly.
2. You were echoing $cookie and $session. A header() redirect only works BEFORE any text is output. I know this is commented out in your post, but if you had this executing while testing, that would cause a problem.

Also, that is NOT secure: a header redirect is very reliable, but not 100% reliable. Some browser could decide to ignore it, or, more importantly, a hacker would be able to avoid it: then they would have access to your page. It is generally a good way to move the user to another page, but you also need to be sure that you do not show any secure information. Add exit(); to the end and the script will stop execution there.

Try this:

PHP Code:


<?php
session_start();
$cookie=$_COOKIE['hash'];
$session=$_SESSION['hash'];

$link = "http://www.example.com/login.php";

if($_COOKIE['hash'] != $_SESSION['hash']){ 
      header("Location: $link");
      exit();
}

?>

And make sure this is the first thing in your source code: any text (even whitespace-- spaces, returns, etc.) will make the header functions (session, header()) not work.

Thread: Am I right about PHP sessions?

Thread Tools

Search Thread

The Following User Says Thank You to traq For This Useful Post:

Bookmarks

Bookmarks

Posting Permissions