Page 1 of 1
How to make administration section secure
Posted: Sun Feb 28, 2010 1:56 pm
by lshaw
hello,
I want to make a secure administration section, using session variables and a database, but i assume just session variable are not secure enough, so I was wondering if anyone knew any good way of protecting a site with Admin section from crackers. I cannot use IP's as most people using the site will have dynamic IP's.
Thanks for any help
Lewis
Re: How to make administration section secure
Posted: Sun Feb 28, 2010 6:39 pm
by s.dot
Make sure when you elevate permissions for a user you are using session_regenerate_id(true) and regenerate the id often. Also you can create a "fingerprint" for the user. Such as..
Code: Select all
if (empty($_SESSION['fingerprint']))
{
$_SESSION['fingerprint'] = md5($username . $_SERVER['HTTP_USER_AGENT']);
}
if ($_SESSION['fingerprint'] != $username. $_SERVER['HTTP_USER_AGENT'])
{
//logout
}
This way it will lock them to the same browser and log them out if they somehow switch browsers during their session.

There are other values you can ues for fingerprints as well.
Re: How to make administration section secure
Posted: Mon Mar 01, 2010 9:59 am
by lshaw
How often would you regenerate the session id? just when selecting from the database and setting the authentication varibles?
The fingerprint code looks good, but would if condition need to md5() the username too for it to match
[EDIT] Would adding the IP adress to the fingerprint help at all?
Re: How to make administration section secure
Posted: Tue Mar 02, 2010 3:29 pm
by kaisellgren
You asked a very broad question. Securing an application is not a one-day task, and using certain controls do not guarantee anything. You need to perceive your assets, and model the idea of threats before you can go secure something.
Tying active sessions into IP-addresses and user agents (often referred to as "finger printing") is favorable. However, as you mentioned, IP-addresses may well change too often for your liking, thus, you can only tie them to a certain degree (e.g., don't check for all four parts of the IPv4-address.)
Session regeneration helps mostly in a way of hardening session prediction attacks assuming that the old session was destroyed (i.e., when using session_regenerate_id(), set the first parameter to true.) Another reason to regenerate the session (or just change the identifier) is to prevent
session fixation attacks in which case the regeneration would take place after the authentication.
lshaw wrote:How often would you regenerate the session id?
Regenerate it after the initial log-on (it is a must). And after that, the more you do that, the better, but I doubt this is going to be the weakest node in your chain meaning that you have probably other more important things to worry about.
Re: How to make administration section secure
Posted: Fri Apr 02, 2010 7:23 pm
by social_experiment
Would adding the IP adress to the fingerprint help at all?
You could register the ip address as a session variable, and in your authorization page check that value against $_SERVER['REMOTE_ADDR'] as the user moves between pages. Another thing is to write the fingerprint value (which you could also hash) to the database, and register a session variable ($_SESSION['fingerprint']) and compare the one inside the database against the session variable and should they not match, assume the user is not logged in or something is not correct and redirect the user.