Session encryption necessary?

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
php_wiz_kid
Forum Contributor
Posts: 181
Joined: Tue Jun 24, 2003 7:33 pm

Session encryption necessary?

Post by php_wiz_kid »

I have my session temporary files hashed in MD5, but since it's stored on the server I was wondering if it is really necessary to do that.
User avatar
m@ndio
Forum Regular
Posts: 163
Joined: Fri Jun 06, 2003 12:09 pm
Location: UK

Post by m@ndio »

This is the reason why the sessions need to be encrypted anyway as if they are not encrypted they are open to session hijacking. I say that but a simple MD5 on a session will not stop a session hijack, you need to add more checks i.e. cookie checks, i.p address checks etc..
php_wiz_kid
Forum Contributor
Posts: 181
Joined: Tue Jun 24, 2003 7:33 pm

Post by php_wiz_kid »

I check to see if userid's and cookie id's match up, and how would I incorporate the IP address?
User avatar
m@ndio
Forum Regular
Posts: 163
Joined: Fri Jun 06, 2003 12:09 pm
Location: UK

Post by m@ndio »

well prsonally what I do is:

1. create a session and grab the session ID

2. this session ID is already a MD5 hash but I MD5 it again (dunno why it's just my thing).

3. get I.P of user and MD5 it

4. store the encrypted session ID and encrypted I.P in database

5. create a cookie on the client machine and store their encrypted session ID & encrypted I.P.

6. check details from the cookie against details in the database if they match bob's your aunty.
php_wiz_kid
Forum Contributor
Posts: 181
Joined: Tue Jun 24, 2003 7:33 pm

Post by php_wiz_kid »

When the user leaves the web site how does the information get removed from the database? The IP address may not always be the same as before, or am I getting this all wrong?
User avatar
m@ndio
Forum Regular
Posts: 163
Joined: Fri Jun 06, 2003 12:09 pm
Location: UK

Post by m@ndio »

the i.p will be the same as we are storing this in the cookie. If the cookie does not exist then do steps 1-6 that I just mentioned...

edit: you can set an expiry time on the cookie and delete the temporary records for that user when they logout but this will leave idle records because not everyone logs out of things...

If you have access to cron jobs on your server then you can set one up on the server to automatically remove any records from the Database that are more than a week old or something this time would ideally be the same as the expiry time on the cookie, so that the cookie and the temporary records are deleted at the same time.

sorry forgot to add this :oops:
php_wiz_kid
Forum Contributor
Posts: 181
Joined: Tue Jun 24, 2003 7:33 pm

Post by php_wiz_kid »

Thanks, I think I've got it now.
Post Reply