Session Encrypting/Hashing

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
php_wiz_kid
Forum Contributor
Posts: 181
Joined: Tue Jun 24, 2003 7:33 pm

Session Encrypting/Hashing

Post by php_wiz_kid »

How do I encrypt or hash sessions so that users can't modify the session temporary file?
User avatar
nielsene
DevNet Resident
Posts: 1834
Joined: Fri Aug 16, 2002 8:57 am
Location: Watertown, MA

Post by nielsene »

Are you worried about local users modifying the session files, or web users modifying the session id?

If the former, you'll have to write you're own custom session handler.
php_wiz_kid
Forum Contributor
Posts: 181
Joined: Tue Jun 24, 2003 7:33 pm

Post by php_wiz_kid »

I'm glad you're helping nielsene, I always read your security posts and you do a great job, I've implemented more of your stuff than anybody else. Keep up the good work.

Are the local users people who have access to the server, and web users are site visitors right? I'm worried about the site visitors modifying the temporary file. I have it hashed, but that would probably be to easy to figure out. Should I worry about people who GET access to the server as in hackers, or does that not really happen? See, I'm new to PHP, and I'm trying my best to make my first site as secure as I possibly can.
User avatar
nielsene
DevNet Resident
Posts: 1834
Joined: Fri Aug 16, 2002 8:57 am
Location: Watertown, MA

Post by nielsene »

Site visitors should have no way to modify the temporary files stored on the server, unless you are doing something very wierd.

I'm working on a series of articles covering other security aspects. I hope to have the first two-three out in the next week. If you can wait that long for a more complete answer, it would probably be better than anything I'll throw together here right now.
php_wiz_kid
Forum Contributor
Posts: 181
Joined: Tue Jun 24, 2003 7:33 pm

Post by php_wiz_kid »

No, I mean the temproray file that get stored on the users local machine when you start a session. Or is that what you mean and I'm doing something weird?
User avatar
nielsene
DevNet Resident
Posts: 1834
Joined: Fri Aug 16, 2002 8:57 am
Location: Watertown, MA

Post by nielsene »

Ohh, that's the cookie OK. I understand now.

Have you read this thread, especially the linked version at the end? That should protect the client-side session value.

The tutorial I'm working on has a more elegant solution, but the old one still works and is secure
php_wiz_kid
Forum Contributor
Posts: 181
Joined: Tue Jun 24, 2003 7:33 pm

Post by php_wiz_kid »

Thanks again nielsene, if this works then you've done it again. Message me when you get your security thing up. I would look forward to reading that.
User avatar
phpScott
DevNet Resident
Posts: 1206
Joined: Wed Oct 09, 2002 6:51 pm
Location: Keele, U.K.

security tutorial

Post by phpScott »

Are going to be posting the tutorial on the phpdn some where for all of us who are keenly interested?

phpScott
User avatar
nielsene
DevNet Resident
Posts: 1834
Joined: Fri Aug 16, 2002 8:57 am
Location: Watertown, MA

Post by nielsene »

Yes, hopefully the first installments will be up in about a week.
Post Reply