Secure session management
Posted: Sat Apr 23, 2005 3:03 pm
Hello,
First of all, please excuse my poor english! I need some help for making a (relatively) secure session management class and a system to authenticate users. I know that they are lots of ready-made scripts out there, but I need to make this one all by myself. I also know that little knowledge is worst than not knowing anything, but I still need to make this script, even if I don't really know very much about security in PHP. This is why I need your help.
I've written a piece of code for managing session and store them in a mysql database. I've tried to avoid all the problems that may appear by session hijacking or session fixation but... I need some advices from the experts
.
I've bored you enought with my talking, so let's see the code:
If anyone of you has patience, I will dare to ask you to analize my code and tell me if an atacker can still get unauthorized access to my website by using session hijacking technique, session fixation or any other technique. I know that some users can't get access to my website if they have an IP that is changing with every request, but now I don't care about that.
Sorry for the lenght of this post and I hope that I don't upset anybody with this thread.
Thanks,
Stefan
First of all, please excuse my poor english! I need some help for making a (relatively) secure session management class and a system to authenticate users. I know that they are lots of ready-made scripts out there, but I need to make this one all by myself. I also know that little knowledge is worst than not knowing anything, but I still need to make this script, even if I don't really know very much about security in PHP. This is why I need your help.
I've written a piece of code for managing session and store them in a mysql database. I've tried to avoid all the problems that may appear by session hijacking or session fixation but... I need some advices from the experts
I've bored you enought with my talking, so let's see the code:
Code: Select all
<?php
// Author: Stefan Vaduva
// Website: http://www.vamist.com
// Thanks to Matt Wade for this tutorial: http://www.zend.com/zend/spotlight/code ... -wade8.php
// If you use this piece of code, please do not remove this header
require_once('settings.php');
class session_manager
{
private $sql;
function __construct()
{
session_set_save_handler
(
array(&$this, 'open'),
array(&$this, 'close'),
array(&$this, 'read'),
array(&$this, 'write'),
array(&$this, 'destroy'),
array(&$this, 'gc')
);
session_regenerate_id(); //this is to avoid session fixation
session_start();
}
function open($ses_path, $ses_name)
{
$this -> sql = new mysqli(settings::$sql_host, settings::$sql_user, settings::$sql_pass, settings::$sql_db);
if(mysqli_connect_error())
{
echo mysqli_connect_error();
return FALSE;
}
else
{
return TRUE;
}
}
function close()
{
$this -> gc(0);
$this -> sql -> close();
return TRUE;
}
function read($ses_id)
{
$result = $this -> sql -> query("e;SELECT * FROM "e;.settings::$ses_table."e; WHERE ses_id = '$ses_id'"e;);
if((!$this -> sql -> error) && ($result))
{
$row = $result -> fetch_assoc();
if($rowї'ses_owner'] != $_SERVERї'REMOTE_ADDR']) //this to avoid session hijacking (return the session value only if the request is made from the computer that started the session)
{
return '';
}
else
{
return $rowї'ses_value'];
}
}
else
{
return '';
}
}
private function success_query($result) //check if the query was successfully
{
if((!$this -> sql -> error) && ($result))
{
return TRUE;
}
else
{
return FALSE;
}
}
function write($ses_id, $ses_value)
{
$ses_value = $this -> sql -> real_escape_string($ses_value);
$result = $this -> sql -> query("e;INSERT INTO "e;.settings::$ses_table."e; (ses_id, ses_time, ses_start, ses_value, ses_owner) VALUES ('$ses_id', '"e;.time()."e;', '"e;.time()."e;', '$ses_value', '"e;.$_SERVERї'REMOTE_ADDR']."e;')"e;);
$err = $this -> sql -> errno;
if((($err == 1062) || ($err == 1022)) && (!$result))
{
$result = $this -> sql -> query("e;UPDATE "e;.settings::$ses_table."e; SET ses_time = '"e;.time()."e;', ses_value = '$ses_value' WHERE ses_id = '$ses_id' AND ses_owner = '"e;.$_SERVERї'REMOTE_ADDR']."e;'"e;);
return $this -> success_query($result);
}
else
{
return TRUE;
}
}
function destroy($ses_id)
{
$result = $this -> sql -> query("e;DELETE FROM "e;.settings::$ses_table."e; WHERE ses_id = '$ses_id'"e;);
return $this -> success_query($result);
}
function gc($ses_life)
{
$result = $this -> sql -> query("e;DELETE FROM "e;.settings::$ses_table."e; WHERE ses_time < "e;.strtotime('-'.settings::$ses_life.' minutes'));
return $this -> success_query($result);
}
}
?>Sorry for the lenght of this post and I hope that I don't upset anybody with this thread.
Thanks,
Stefan