Page 1 of 1

Is my Session script secure? im a newby

Posted: Tue Nov 09, 2010 11:04 pm
by zargis
Hey guys i was wondering, since im new at php, if this is very secure for checking sessions & re-creating the key so they can't be stolen. Please point out all flaws & security holes as I'm new and need to learn lol :] BTW this is just part of my script for a user system. Also it does have some weird bugs.

Anyways here it is:

Code: Select all

if (isset($_SESSION['tokenSID'])) {
	
	require("/home/a9199485/inc/db_connect.php");
	//GRAB unique-key from DB and put it into the SID string.
	$userNUM = $_SESSION['correctuser'];
	$checkNUMq = mysql_query("SELECT sessionID FROM users WHERE username='$userNUM' LIMIT 1");
	$checkNUM = mysql_fetch_array($checkNUMq);
	$checkNUM = $checkNUM['sessionID'];
	// SID String.
	$checkSID = md5($_SERVER['HTTP_USER_AGENT']);
	$checkSID .= md5('sillystringtotheright');  
	$checkSID .= $checkNUM;
	$checkSID .= sha1('deathtotheleftonthehill');
	$checkSID = md5($checkSID);
	// SEE if it matches the already stored session. If it has been stolen then lets hope it has expired haha.
	if($_SESSION['tokenSID'] === $checkSID) {
		unset($_SESSION['tokenSID']);
		$logname = $userNUM;
		$member = $logname;
		// RaNdOmIzE unique-key & send it database.
		$NUM = sha1(microtime());
		$NUM .= md5(rand(1000000,9999999));
		$NUM .= sha1($_SERVER['HTTP_USER_AGENT']);
		$regenerateNUM = md5(uniqid($NUM));
		$regenerateQUE = mysql_query("UPDATE users SET sessionID='$regenerateNUM' WHERE username='$logname' LIMIT 1");
		// Regenerate SID String & store it.
		$regenerateSID = md5($_SERVER['HTTP_USER_AGENT']);
		$regenerateSID .= md5('sillystringtotheright'); 
		$regenerateSID .= $regenerateNUM;
		$regenerateSID .= sha1('deathtotheleftonthehill');
		$regenerateSID = md5($regenerateSID);		
		$_SESSION['tokenSID'] = $regenerateSID;
So yeah its just part of the full script but is this secure at all? I don't know as im new php :]. haha i think i got carried away with md5

Re: Is my Session script secure? im a newby

Posted: Tue Nov 09, 2010 11:57 pm
by McInfo
It looks to me like a lot of smoke and burnt rubber with no distance traveled. :(

Read some articles about sessions and session security. Learn how sessions work and about the threats you are coding against.

Re: Is my Session script secure? im a newby

Posted: Wed Nov 10, 2010 1:52 am
by zargis
Lol k haha, thanks... i know its going to look bad to a pro but yeah i'm new at this and I'm teaching myself... kinda rushing through it too, which i shouldn't :S.

Re: Is my Session script secure? im a newby

Posted: Wed Nov 10, 2010 10:15 am
by s.dot
A couple notes that jump right out at me..

hashing anything more than once (sha1, md5, whatever) is not a security improvement. In fact, from an entropy point of view, it may reduce security by creating more collisions.

It looks like you're wanting to create what's called a "fingerprint" (you can google php fingerprint and you should find some things).

General session usage is generally secure for your day to day stuff. Just remember when you need a change in elevation of access to a particular area, regenerate the session (deleting the old one, if you can). If you need more than that, require that the user provide more authentication before granting their access and regenerating the session (like supplying their password again, or an alternate password, or something similar).

It's actually not a bad idea to regenerate sessions regularly, regardless of access levels.