First of all, please excuse my poor english! I need some help for making a (relatively) secure session management class and a system to authenticate users. I know that they are lots of ready-made scripts out there, but I need to make this one all by myself. I also know that little knowledge is worst than not knowing anything, but I still need to make this script, even if I don't really know very much about security in PHP. This is why I need your help.
I've written a piece of code for managing session and store them in a mysql database. I've tried to avoid all the problems that may appear by session hijacking or session fixation but... I need some advices from the experts
I've bored you enought with my talking, so let's see the code:
Code: Select all
<?php
// Author: Stefan Vaduva
// Website: http://www.vamist.com
// Thanks to Matt Wade for this tutorial: http://www.zend.com/zend/spotlight/code ... -wade8.php
// If you use this piece of code, please do not remove this header
require_once('settings.php');
class session_manager
{
private $sql;
function __construct()
{
session_set_save_handler
(
array(&$this, 'open'),
array(&$this, 'close'),
array(&$this, 'read'),
array(&$this, 'write'),
array(&$this, 'destroy'),
array(&$this, 'gc')
);
session_regenerate_id(); //this is to avoid session fixation
session_start();
}
function open($ses_path, $ses_name)
{
$this -> sql = new mysqli(settings::$sql_host, settings::$sql_user, settings::$sql_pass, settings::$sql_db);
if(mysqli_connect_error())
{
echo mysqli_connect_error();
return FALSE;
}
else
{
return TRUE;
}
}
function close()
{
$this -> gc(0);
$this -> sql -> close();
return TRUE;
}
function read($ses_id)
{
$result = $this -> sql -> query("e;SELECT * FROM "e;.settings::$ses_table."e; WHERE ses_id = '$ses_id'"e;);
if((!$this -> sql -> error) && ($result))
{
$row = $result -> fetch_assoc();
if($rowї'ses_owner'] != $_SERVERї'REMOTE_ADDR']) //this to avoid session hijacking (return the session value only if the request is made from the computer that started the session)
{
return '';
}
else
{
return $rowї'ses_value'];
}
}
else
{
return '';
}
}
private function success_query($result) //check if the query was successfully
{
if((!$this -> sql -> error) && ($result))
{
return TRUE;
}
else
{
return FALSE;
}
}
function write($ses_id, $ses_value)
{
$ses_value = $this -> sql -> real_escape_string($ses_value);
$result = $this -> sql -> query("e;INSERT INTO "e;.settings::$ses_table."e; (ses_id, ses_time, ses_start, ses_value, ses_owner) VALUES ('$ses_id', '"e;.time()."e;', '"e;.time()."e;', '$ses_value', '"e;.$_SERVERї'REMOTE_ADDR']."e;')"e;);
$err = $this -> sql -> errno;
if((($err == 1062) || ($err == 1022)) && (!$result))
{
$result = $this -> sql -> query("e;UPDATE "e;.settings::$ses_table."e; SET ses_time = '"e;.time()."e;', ses_value = '$ses_value' WHERE ses_id = '$ses_id' AND ses_owner = '"e;.$_SERVERї'REMOTE_ADDR']."e;'"e;);
return $this -> success_query($result);
}
else
{
return TRUE;
}
}
function destroy($ses_id)
{
$result = $this -> sql -> query("e;DELETE FROM "e;.settings::$ses_table."e; WHERE ses_id = '$ses_id'"e;);
return $this -> success_query($result);
}
function gc($ses_life)
{
$result = $this -> sql -> query("e;DELETE FROM "e;.settings::$ses_table."e; WHERE ses_time < "e;.strtotime('-'.settings::$ses_life.' minutes'));
return $this -> success_query($result);
}
}
?>Sorry for the lenght of this post and I hope that I don't upset anybody with this thread.
Thanks,
Stefan