Page 1 of 1

session security

Posted: Wed Jul 24, 2002 3:16 pm
by lethal

Code: Select all

<?php
/*
CREATE TABLE `sessions` (
  `id` varchar(32) NOT NULL default '0',
  `time` timestamp(14) NOT NULL,
  `data` text NOT NULL
) TYPE=MyISAM;
*/
$dbhost = "localhost";
$dbuser = "";
$dbpass = "";
$session_db = "";
$session_table = "sessions";
session_module_name("user");
function session_open($path, $name)
&#123; 
    return TRUE; 
&#125; 

function session_close()
&#123; 
    return TRUE; 
&#125; 

function session_read($id)
&#123; 
    $mysql = mysql_connect($GLOBALS&#1111;"dbhost"], $GLOBALS&#1111;"dbuser"], $GLOBALS&#1111;"dbpass"]); 
    if(!mysql_select_db($GLOBALS&#1111;"session_db"])) &#123; 
        return FALSE; 
    &#125; 
    $query = "SELECT * FROM " . $GLOBALS&#1111;"session_table"] . " WHERE id='$id'"; 
    if(!$result = mysql_query($query)) &#123; 
        return FALSE; 
    &#125; 
    if(mysql_num_rows($result)) &#123; 
        $line = mysql_fetch_object($result); 
        return $line->data; 
    &#125; 
    mysql_close($mysql); 
&#125; 

function session_write($id, $data)
&#123; 
    $mysql = mysql_connect($GLOBALS&#1111;"dbhost"], $GLOBALS&#1111;"dbuser"], $GLOBALS&#1111;"dbpass"]); 
    if(!mysql_select_db($GLOBALS&#1111;"session_db"])) &#123; 
        return FALSE; 
    &#125; 
    $query = "UPDATE " . $GLOBALS&#1111;"session_table"] . " SET data='" . addslashes($data) . "', time=null WHERE id='$id'"; 
    if(!$result = mysql_query($query)) &#123; 
        return FALSE; 
    &#125; 
    if(mysql_affected_rows()) &#123; 
        return TRUE; 
    &#125; 
    $query = "INSERT " . $GLOBALS&#1111;"session_table"] . " SET data='" . addslashes($data) . "', id='$id'"; 
    if(!$result = mysql_query($query)) &#123; 
        return FALSE; 
    &#125; else &#123; 
        return TRUE; 
    &#125; 
    mysql_close($mysql); 
&#125; 

function session_remove($id)
&#123; 
    $mysql = mysql_connect($GLOBALS&#1111;"dbhost"], $GLOBALS&#1111;"dbuser"], $GLOBALS&#1111;"dbpass"]); 
    if(!mysql_select_db($GLOBALS&#1111;"session_db"])) &#123; 
        return FALSE; 
    &#125; 
    $query = "DELETE FROM " . $GLOBALS&#1111;"session_table"] . " WHERE id='$id'"; 
    if($result = mysql_query($query)) &#123; 
        return TRUE; 
    &#125; else &#123; 
        return FALSE; 
    &#125; 
    mysql_close($mysql); 
&#125; 

function session_gc($life)
&#123; 
    $mysql = mysql_connect($GLOBALS&#1111;"dbhost"], $GLOBALS&#1111;"dbuser"], $GLOBALS&#1111;"dbpass"]); 
    if(!mysql_select_db($GLOBALS&#1111;"session_db"])) &#123; 
        return FALSE; 
    &#125; 
    $query = "DELETE FROM " . $GLOBALS&#1111;"session_table"] . " WHERE time < '" . date("YmdHis", time() - $life) . "'"; 
    if($result = mysql_query($query)) &#123; 
        return TRUE; 
    &#125; else &#123; 
        return FALSE; 
    &#125; 
    mysql_close($mysql); 
&#125; 
session_set_save_handler("session_open", "session_close", "session_read", "session_write", "session_remove", "session_gc");
?>
Use these functions to store your sessions in a database instead of /tmp which is world readable. To use this correctly simple include/require the script. Here is an example:

Code: Select all

<?php
require("name.php"); //include("name.php");
session_start();
if(!isset($_SESSION&#1111;"test"]))&#123;
$_SESSION&#1111;"test"] = "hello";
echo $_SESSION&#1111;"test"];
&#125; else &#123;
echo $_SESSION&#1111;"test"];
&#125;
?>
Credit for these great functions go to AZTEK of Blacksun Research Facility.
We take no responsibilty for what happens IF you use these functions.

Posted: Wed Jul 24, 2002 3:59 pm
by BDKR
This type of things goes back over a year to a story written on PHP Builder. A good idea no doubt to deal with the fact that tmp directories are open for any treacherous galoot to get into.

I wrote a class to do some sessions stuff and dump it into a database as well. But, being paranoid as I am, I also make sure that once the session starts from a particular IP, it continues from that same IP, else I assume it's been hijacked. I can tighten the screws even more and take note of the persons Browser and OS using HTTPD_REFERRER (I think that's what it's called).

Later on,
BDKR