Is my Session script secure? im a newby

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
zargis
Forum Newbie
Posts: 2
Joined: Tue Nov 09, 2010 10:57 pm

Is my Session script secure? im a newby

Post by zargis »

Hey guys i was wondering, since im new at php, if this is very secure for checking sessions & re-creating the key so they can't be stolen. Please point out all flaws & security holes as I'm new and need to learn lol :] BTW this is just part of my script for a user system. Also it does have some weird bugs.

Anyways here it is:

Code: Select all

if (isset($_SESSION['tokenSID'])) {
	
	require("/home/a9199485/inc/db_connect.php");
	//GRAB unique-key from DB and put it into the SID string.
	$userNUM = $_SESSION['correctuser'];
	$checkNUMq = mysql_query("SELECT sessionID FROM users WHERE username='$userNUM' LIMIT 1");
	$checkNUM = mysql_fetch_array($checkNUMq);
	$checkNUM = $checkNUM['sessionID'];
	// SID String.
	$checkSID = md5($_SERVER['HTTP_USER_AGENT']);
	$checkSID .= md5('sillystringtotheright');  
	$checkSID .= $checkNUM;
	$checkSID .= sha1('deathtotheleftonthehill');
	$checkSID = md5($checkSID);
	// SEE if it matches the already stored session. If it has been stolen then lets hope it has expired haha.
	if($_SESSION['tokenSID'] === $checkSID) {
		unset($_SESSION['tokenSID']);
		$logname = $userNUM;
		$member = $logname;
		// RaNdOmIzE unique-key & send it database.
		$NUM = sha1(microtime());
		$NUM .= md5(rand(1000000,9999999));
		$NUM .= sha1($_SERVER['HTTP_USER_AGENT']);
		$regenerateNUM = md5(uniqid($NUM));
		$regenerateQUE = mysql_query("UPDATE users SET sessionID='$regenerateNUM' WHERE username='$logname' LIMIT 1");
		// Regenerate SID String & store it.
		$regenerateSID = md5($_SERVER['HTTP_USER_AGENT']);
		$regenerateSID .= md5('sillystringtotheright'); 
		$regenerateSID .= $regenerateNUM;
		$regenerateSID .= sha1('deathtotheleftonthehill');
		$regenerateSID = md5($regenerateSID);		
		$_SESSION['tokenSID'] = $regenerateSID;
So yeah its just part of the full script but is this secure at all? I don't know as im new php :]. haha i think i got carried away with md5
User avatar
McInfo
DevNet Resident
Posts: 1532
Joined: Wed Apr 01, 2009 1:31 pm

Re: Is my Session script secure? im a newby

Post by McInfo »

It looks to me like a lot of smoke and burnt rubber with no distance traveled. :(

Read some articles about sessions and session security. Learn how sessions work and about the threats you are coding against.
zargis
Forum Newbie
Posts: 2
Joined: Tue Nov 09, 2010 10:57 pm

Re: Is my Session script secure? im a newby

Post by zargis »

Lol k haha, thanks... i know its going to look bad to a pro but yeah i'm new at this and I'm teaching myself... kinda rushing through it too, which i shouldn't :S.
User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

Re: Is my Session script secure? im a newby

Post by s.dot »

A couple notes that jump right out at me..

hashing anything more than once (sha1, md5, whatever) is not a security improvement. In fact, from an entropy point of view, it may reduce security by creating more collisions.

It looks like you're wanting to create what's called a "fingerprint" (you can google php fingerprint and you should find some things).

General session usage is generally secure for your day to day stuff. Just remember when you need a change in elevation of access to a particular area, regenerate the session (deleting the old one, if you can). If you need more than that, require that the user provide more authentication before granting their access and regenerating the session (like supplying their password again, or an alternate password, or something similar).

It's actually not a bad idea to regenerate sessions regularly, regardless of access levels.
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
Post Reply