Page 1 of 1
Session encryption necessary?
Posted: Thu Jul 03, 2003 2:09 pm
by php_wiz_kid
I have my session temporary files hashed in MD5, but since it's stored on the server I was wondering if it is really necessary to do that.
Posted: Thu Jul 03, 2003 2:17 pm
by m@ndio
This is the reason why the sessions need to be encrypted anyway as if they are not encrypted they are open to session hijacking. I say that but a simple MD5 on a session will not stop a session hijack, you need to add more checks i.e. cookie checks, i.p address checks etc..
Posted: Thu Jul 03, 2003 2:24 pm
by php_wiz_kid
I check to see if userid's and cookie id's match up, and how would I incorporate the IP address?
Posted: Thu Jul 03, 2003 2:39 pm
by m@ndio
well prsonally what I do is:
1. create a session and grab the session ID
2. this session ID is already a MD5 hash but I MD5 it again (dunno why it's just my thing).
3. get I.P of user and MD5 it
4. store the encrypted session ID and encrypted I.P in database
5. create a cookie on the client machine and store their encrypted session ID & encrypted I.P.
6. check details from the cookie against details in the database if they match bob's your aunty.
Posted: Thu Jul 03, 2003 2:43 pm
by php_wiz_kid
When the user leaves the web site how does the information get removed from the database? The IP address may not always be the same as before, or am I getting this all wrong?
Posted: Thu Jul 03, 2003 2:46 pm
by m@ndio
the i.p will be the same as we are storing this in the cookie. If the cookie does not exist then do steps 1-6 that I just mentioned...
edit: you can set an expiry time on the cookie and delete the temporary records for that user when they
logout but this will leave idle records because not everyone logs out of things...
If you have access to cron jobs on your server then you can set one up on the server to automatically remove any records from the Database that are more than a week old or something this time would ideally be the same as the expiry time on the cookie, so that the cookie and the temporary records are deleted at the same time.
sorry forgot to add this

Posted: Thu Jul 03, 2003 9:00 pm
by php_wiz_kid
Thanks, I think I've got it now.