Page 1 of 1

Session Security

Posted: Tue Jun 10, 2003 6:19 am
by Coco
Ok after reading various posts here and needing to try to tidy up the security of my site, ive come up with the following...
I was wondering if you all could give me some feedback as to how good this would be?
Cheers :)

Session creation:

Code: Select all

<?php
			$PHPAUCTION_LOGGED_IN = mysql_result($res,0,"id");
			$PHPAUCTION_LOGGED_IN_USERNAME = mysql_result($res,0,"nick");
			$PHPAUCTION_SESSION_IP = $ipaddress;
			$ADMIN_LOGGED_IN_LEVEL = 0;
			$PHPAUCTION_SESSION_SECURE = md5($SESSION_PREFIX . $PHPAUCTION_SESSION_IP . $ADMIN_LOGGED_IN_LEVEL);
			session_name($SESSION_NAME);
			session_register("PHPAUCTION_LOGGED_IN","PHPAUCTION_LOGGED_IN_USERNAME", "PHPAUCTION_SESSION_IP", "PHPAUCTION_SESSION_SECURE", "ADMIN_LOGGED_IN_LEVEL");
?>
Session Checking:

Code: Select all

<?php
if(isset($HTTP_SESSION_VARS['PHPAUCTION_SESSION_IP']))
{
	if($ipaddress != $HTTP_SESSION_VARS['PHPAUCTION_SESSION_IP'])
	{
		session_unset();
		session_destroy();
	}
	else
	{
		//check that the data = the md5
		$test = md5($SESSION_PREFIX . $HTTP_SESSION_VARS['PHPAUCTION_SESSION_IP'] . $HTTP_SESSION_VARS['ADMIN_LOGGED_IN_LEVEL']);
		if($HTTP_SESSION_VARS['PHPAUCTION_SESSION_SECURE']!=$test)
		{
			session_unset();
			session_destroy();
		}
	}
}
else
{
	session_unset();
	session_destroy();
}
?>
My line of thinking was that if someone 'steals' a session then their ip address will change, hence invalidating the session.

Posted: Tue Jun 10, 2003 7:59 am
by nielsene
Assuming that $SESSION_PREFIX is a "server secret" that looks pretty good. There are a few bits i can't confirm, specifically where you are getting the user's IP from -- some sources are easier than others to spoof. But this will detect a "simple" session hijack.